Feb 17 2016

3 Defenses Against Business Email Compromise

Forget about phishing — whaling is the new threat on the block.

While rampant email fraud jeopardizes U.S. businesses, education, email protections and simple verification protocols could help reduce the risks.

Known as "whaling," also called "business email compromise (BEC)," this type of social-engineering attack strategically targets and hijacks the email accounts of CEOs and other corporate whales. An FBI warning released last summer states that more than 7,000 U.S. businesses fell victim to BEC scams between October 2013 and August 2015, losing nearly $750 million total. The cost to the global economy was even more staggering: $1.2 billion.

According to the Internet Crime Complaint Center, BEC schemes can take several forms:

Version 1: The Supplier Swindle

A fraudster sends a spoofed email to a vendor, asking for invoice payment. The vendor then wires funds to a fraudulent account.

Version 2: CEO Fraud

A fraudster hacks the email accounts of high-level business executives and uses those accounts to send wire-transfer requests to internal employees in charge of handling finances.

Version 3

A fraudster sends requests for invoice payments to vendors through a compromised employee email account. The wired funds are sent to a fraudster-controlled bank account.

Version 4

As part of this recently discovered scheme, a fraudster identifies himself as a legal representative and then pressures victims into transferring "time-sensitive" funds into a fraudulent account. These attacks often occur toward the end of the workday or workweek.

Not Taking the Bait

Trend Micro blog post recommends that companies help reduce their risk by training staff to recognize and respond to the different styles of BEC attacks:

All employees (not just IT managers) need to be familiar with the schemes used to deliver BEC threats. Stay secure by following healthy email habits like carefully scrutinizing all emails, double-checking with a point-of-contact via other channels before sending invoice payments, and immediately deleting spammed messages.

The blog post also suggests that company leadership require a two-step verification process before funds are transferred. Digital signatures and phone calls can serve as authentication, but the FBI warns that employees should call previously known phone numbers, not the numbers provided in the email in question.

Finally, the Trend Micro post recommends that companies prioritize advanced malware detection and other email security measures that specifically guard against social engineering.

"Enhanced security, along with a strengthened sense of mischief when it comes to dealing with emails, can help stop and detect cybercriminal attacks that use BEC threat," it notes.


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.