Beware of Bogus Emails and Click Bait
The subject line is intriguing and the sender seems familiar, so you click to read more. This often is the first step in compromising your business email. Business Email Compromise (BEC), is a widespread threat to organizations of all sizes. The FBI reports that in 2020, BEC cost American businesses at least $1.8 billion.
Cybercriminals use corporate websites and social media accounts to research their targets. Once they have the targeted email, they will send a “phishing” email to the target, hoping he or she will click on the malicious attachment or link in the phishing email, which will then run malicious code. The cybercriminals can then steal log in credentials, personal or sensitive information, credit card or bank account data, or spread malware in your organization.
When it comes to BEC attacks, your employees can be your weakest link or your best defense. Therefore, it is important that employees understand how attackers use BEC to easily infiltrate networks and devices. Once a single user’s email is compromised, attackers can use that entry point to leverage further attacks within the organization until they obtain data of critical value, usually highly confidential information about the organization or its clients and customers, including financial information and trade secrets.
So how best to avoid the malicious threats?
Employees are the end user. Microsoft says, “An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.”
The simplest way to avoid a costly BEC incident is to train employees to identify red flags so they won’t be tricked into sending out sensitive information or unwittingly sharing their log in credentials. Red flags include:
- Emails that ask the recipient to click on a link or open an attachment. The body of the email will often be vague, but will imply either that the recipient forgot to pay an invoice or the author is sending money or goods. The attachment or link may be labeled as an invoice, a receipt, or a tracking notice. Sometimes the email may appear to come from a reputable company, but something about the email address will appear strange (such as “Arnazon.com” instead of “Amazon.com”). Before clicking on any link, hover the mouse over it to see the website it leads to. If the link is labelled “track your package here” but the URL that pops up is not associated with the supposed sender, do not click.
- Another common tactic used by cybercriminals is spoofing the emails of high-ranking individuals in the organization. In this type of attack, the email will appear to come from Jane Doe, CFO, requesting that the recipient send her account information, but again, something about the email address will be incorrect, such as an incorrect spelling or incorrect email domain (such as JaneDoe@gmail.com instead of JaneDoe@company.com). Often, the request will be worded strangely, using a tone or phrases that are not typical for the supposed sender. The email will often contain urgent deadlines and excuses from the sender about why they can’t speak in person (“I’m in an important client meeting and need this information ASAP”). The scammers want the recipient to panic.
- Emails with vague requests (“Can you review an agreement?”) or offers that sound too good to be true (“I need to wire $200,000 to a U.S. company and need your assistance to send it through a U.S. bank”), which usually come from international domains, are also a red flag. Cybercriminals may be using legitimate email addresses that they have compromised through earlier efforts to give the request an air of legitimacy. The cybercriminals are expecting the recipient’s desire to be helpful or to generate business relationships for the organization to override caution and skepticism.
Well-trained employees can be your best defense against BEC attacks. Shareholder Natalie Friend Wilson, who leads the Cybersecurity, Data Protection, and Privacy Practice Group advises, “Your employees should be well trained and your organization should cultivate a culture of security. Employees should be encouraged and rewarded for implementing their training and avoiding a security mishap, even if it slows down processes or creates incrementally more work.” A slight delay in responding to a legitimate request for sensitive information is a minor inconvenience. Sending sensitive or confidential information to an unauthorized recipient can be a disaster.
October is Cybersecurity Awareness Month, a time to “raise awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online,” according to the Cybersecurity & Infrastructure Safety Agency. Training everyone in your organization to recognize Business Email Compromise threats and taking simple precautionary measures can help combat the enormous financial and security threat posed by this cybercrime.
Do Your Part. #BeCyberSmart.