According to the 2022 Data Breach Investigations Report by Verizon, more than 82% of breaches involve a human element. And from experience, we know that the human element that is enabling the majority of these breaches is email.
The number of cyberattacks reported so far in 2022 is alarming, and all organizations must make more effort to secure their systems and information. Cyberattack via email is known as phishing. Phishing emails are the primary attack vector for about 65% of all cyberattacks. According to the Federal Bureau of Investigation in the United States, phishing attacks are likely to increase annually by 400%.
Why Is Business Email Being Targeted?
Owing to the increasing adoption of remote work, post-COVID-19, employees of many organizations now communicate via email more than ever before. With an email, an employee can send information to one or more recipients via telecommunication links between computers using dedicated software or a web-based system. Using emails helps to reduce the communication gap between internal and external staff of a company. However, this means of communication exposes companies to cyberattacks since it involves a lot of devices and people.
Only a few companies have sat down to think things through and put adequate security measures in place. Cybercriminals are always alert, looking for loopholes in technology systems, including business emails, which several companies depend on for communication. One method cybercriminals use to commit crimes amounting to millions of dollars is the Business or Corporate Email Compromise (BEC) or Email Account Compromise (EAC).
What Types of Businesses Are Targeted?
According to the Federal Bureau of Investigations (FBI), Business Email Compromise is a sophisticated global scam targeting small to large businesses. They described it as one of the most financially damaging online crimes. It has affected numerous companies, causing huge losses. These email compromises would likely rise unless companies implement checks to mitigate them.
What Platforms Are Most Vulnerable?
These business email attacks are not particular to any system or platform for email; they’re very agnostic. The hackers know enough about the platform that is being utilized to adjust their delivery method and can convince the target to login into their Office365, Gmail, or Amazon SES…but attacks are happening across the board.
These fraudulent emails usually look authentic and legitimate, mimicking the actual situations where the money ought to be paid out, except that this time, it goes into the hands of the criminals. Cybercriminals can do this because they carefully monitor their victims long before they initiate the scam. After this, they could send spearphishing emails to obtain confidential information from unsuspecting victims, make slight variations on email addresses and send (spoofing) or use malware to gain access to valuable information.
Cybercriminals often use the following strategies:
- Compromising the email of one employee of the business and leveraging that account to reach other contacts in a seemingly more legitimate way.
- Targeting big businesses by exporting public information to develop a profile on the company and its executives.
- Employing spearphishing emails and phone calls to target employees of a victim company, most often the financial department. By manipulation and through social engineering, they can persuade the employees that they are conducting a legitimate business transaction which require certain access credentials or sensitive information.
What Is at Risk When It Comes to Business Email?
Business Email Compromise is the costliest form of cybercrime, as reported in the Hidden Costs of B2B Payments Fraud, the November edition of the B2B Payments Fraud Tracker Series. Beyond the monetary costs, there is also reputational damage to the victim company, as clients may be sceptical about doing business with the company. That is because these Business Email Compromise incidents happen with the help of company insiders or employees with malicious intent.
We recently did a test with large credit union, which has over $1 billion in assets managed. Of the about 400 total emails sent out using a phishing email from a lookalike domain, I was able to get 30 different people to enter their credentials and at least 27 of them actually work on the credit union’s internal network.
It is important to note that:
- Besides company executives, employees in the financial department are most targeted.
- Spoofed emails closely mimic legitimate addresses.
- Personal email accounts get hacked more often than business emails.
- Fraudulent messages often coincide with business travel dates for executives whose emails were spoofed. It is a common strategy used by them.
- Fraudulent requests for money transfers are well-drafted and specific to the business. That way, it seems like a regular business transaction with a regular client.
What Can Be Done to Prevent Business Email Breaches?
Since cybercriminals are always so meticulous, what measures should businesses take to protect their email communications and prevent themselves from falling victim to their schemes?
Mark Unsolicited Emails as Spam or Junk
Companies should ensure that their security system has a strong firewall and monitoring solution handled by well-trained IT staff. These would help filter out future spam, flag suspicious-looking emails, and possibly alert security experts to email accounts that have been spoofed or hacked.
Check Addresses, Subject Lines, and the Copy of the Email for Anything Suspicious
Mostly, the difference between a fraudulent email and an original one may be a single letter. Other times, the difference could be in the content of the email. Hence, it is often easy to detect if employees are meticulous when checking emails. They should have a high level of suspicion and not take anything for granted.
Only Open Emails from Recognized Senders
As a precaution, emails and attachments from recognized senders only should be open. Hackers send emails, PDFs, and audio files with malicious intent. Any computer user who clicks on them falls victim to cyberattacks. Hence, you should avoid opening, and deleting such emails, and report to your information security experts when you receive an email with an unexpected attachment.
Verify Unfamiliar Links Before Clicking
Properly check all links to ensure they have a legitimate URL that matches the originating domain of the email. That could be done by right-clicking on the link and checking all the characters that make it up. Being careful is much better than exposing the company to cyberattacks that could lead to huge losses.
Be Careful of the Info You Share Online
Often, passwords and security codes are things we hardly forget, like our birthdays, pet names, schools attended, and related events. By posting content like those on social media, you may be providing cybercriminals all the information they need to guess your password and answer your security questions. Hence, company owners should not post sensitive information online or on social media.
Use Business Emails Only for Business
Free web-based emails are not adequate for business purposes. Using a firm’s website domain with connected email accounts is recommended for all company transactions and communications. Also, companies should undertake regular malware checks and antivirus updates.
Use Multi-Factor Authentication
With a multi or two-factor authentication in place, someone with malicious intent, besides those having the pin, cannot access certain company information. That extra layer of security goes a long way to strengthen the company’s security system.
Always Check Payment and Purchase Requests
Payment verification could be done in person or via phone to confirm if the request is legit. Also, verify any change in payment procedures or account number with the person or company making the request.
Be Wary of Pressure from the Requestor
Cyber attackers often want company employees to do their bidding as soon as possible. Hence, they make it seem like the transaction must be done urgently to avoid negative consequences. When a requestor is putting so much pressure on you and wants you to act fast, be extra careful and verify before you go ahead with that transaction.
Act Quickly If a Compromise Is Suspected
Precautions should always be in place. But if there is a business email compromise, the company must act quickly to limit the damages. They should contact their financial institution immediately to report the incident. It is good practice to contact the local FBI field office and submit a complaint to their Internet Crime Complaint Center (IC3).
Related article: Five Practical Ways to Increase Your Security Posture.
Cybercriminals nowadays are meticulous, putting in the effort to research their victims. A good number of data breach incidents originate from business email compromises. Hence, needless to emphasize the importance of educating employees on spotting compromising behavior.