Skip to main content

Business email compromise is a massively expensive problem. Here are three tips to making sure yours isn’t next to take the bait.

Office Hours, our recurring discussion group where we take users' COVID-related questions, continues to generate some really thoughtful submissions. Occasionally, they're so worthwhile we like to take some time to expand on certain topics.

If anything deserves a second look in the era of the coronavirus and work-from-home, it’s the challenge of business email compromise. More than $26 BILLION in losses were reported to the FBI's Internet Crime Complaint Center (IC3) between June 2016 and July 2019 as a result of BEC. That’s almost equal to Cambodia’s entire economic output in 2019.

And the IC3 anticipated in a statement in early April that the problem would ­­only be worsened by the epidemic as cybercriminals seek to capitalize on confusion and uncertainty to steal money or valuable data. So when a user asked what can be done to protect against BEC, yeah, we thought that fell in the category of worthy of expansion.

First, a brief refresher on BEC as an attack tactic. This form of phishing relies on some type of contrived pretext to request a payment or purchase be made on the attacker’s behalf. Probably the most well-known example of this scam involves an urgent request for gift cards to be purchased and sent to “a client.” But since being well-known isn’t an especially desirable accolade for an attack, here’s another, real-world example reported to the FBI:

"A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed 'due to the Coronavirus outbreak and quarantine processes and precautions.' The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed."

It's clear how topical, tricky and ambitious these attacks can be. Here are our top tips for protecting users and businesses from BEC-enabled attacks. (And the FBI has some pretty good ones too covered in the links above.)

1. Slow down

Hook, Line and Sinker: Why Phishing Attacks Work was Webroot’s attempt to understand the psychology behind phishing attacks and why they work so well. By teaming up with researchers and academia, we learned that when context and familiarity (an email from your boss) mix with a sense of urgency (I need this done now!), users tend to lose some of their critical thinking capabilities.

Red flags should include any last-minute changes to formal processes, a sense of urgency added to otherwise routine business dealings, or requests to alter payment information like bank accounts or routing numbers. And don’t forget the basics of spotting a phishing attack: look for spelling errors, overly general language, hover over links before clicking, and verify the sender’s email information matches who they claim to be.

2. Don’t trust. Verify

Never use the same channel, in this case email, to verify the identity of the requester as the one where the request was made. Pick up the phone and call. Cybercriminals know it’s tougher to walk down the hall to a colleague’s office these days, so it’s time to hop on the phone. Video chat software is ubiquitous these days, so don’t be afraid to use it to verify that that wire transfer really does need to be made ASAP. Any request involving cash or personally identifiable information warrants this extra caution.

3. Prepare for the inevitable

A BEC scam will eventually target your business, so use all the technology at your disposal to ensure it doesn’t succeed. Machine learning-enabled endpoint security solutions can help identify sites associated with phishing activity. That includes today’s phishing sites, which tend to be active for only minutes or hours.

Next, address the people problem. Train all users to spot these attacks and teach them what they can do to prevent a costly breach of their organization. Webroot testing data shows that phishing simulations have measurable effects on an employee’s ability to spot and stop an attack from succeeding, especially when training is ongoing. Our stats indicate that:

  • The average click rate for the first campaign is 11%
  • The average click rate for campaigns 2-3 is 8%
  • The average click rate for campaigns 7-10 is 6-7%
  • The average click rate for campaigns 11-14 is 5%
  • The average click rate for campaigns 22-24 is 2%

Compared to a successful BEC attack, the investment in user training is minimal. Where these trainings to be conducted with small businesses across the country, the U.S. economy could prevent the theft of billions of dollars. Often, all it takes is a little awareness of the threats facing users.

Our newest research on phishing attacks and user (over)confidence, “COVID-19 Clicks: How Phishing Capitalized on a Global Crisis” is out now, check it out! 

Haste is the main cause of people clicking on dodgy links. If people just slow down and take time to consider their actions, they wouldn’t get caught out.

Training helps, but yes, haste and the fact that in sophisticated BEC campaigns, the attackers might have access to an entire email network and can study the nuance of the conversations flowing through the system. The intent then is to inject themselves into the conversation and then use that relationship and quietly ask for money wire transfers etc… 

 

John 

Haste is the main cause of people clicking on dodgy links. If people just slow down and take time to consider their actions, they wouldn’t get caught out.

I agree. Most of the time simply taking the time to check over a message can save you from compromise. This is a key reason that we push training so hard in our org. “Think before you click” is on everyone's mind. 

Haste is the main cause of people clicking on dodgy links. If people just slow down and take time to consider their actions, they wouldn’t get caught out.

Haste indeed. The number of end users that don't think before they click is frightening. We are having quite a big push with cyber security at the moment as have bought an aging business on archaic platforms with little evolution to suit the clients needs. The number of these clients who are grabbing at the bit to educate their users and update their systems is impressive, all because they haven't really had that proactive approach until now.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

Take a look here Cyber Security Awareness Training for Employees | Webroot

 

I believe that should be what you are looking for. 

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

Take a look here Cyber Security Awareness Training for Employees | Webroot

 

I believe that should be what you are looking for. 

Champion, thank you very much!

Definitely agree that the message is ‘think before you click’!

Haste is the main cause of people clicking on dodgy links. If people just slow down and take time to consider their actions, they wouldn’t get caught out.

I agree. Most of the time simply taking the time to check over a message can save you from compromise. This is a key reason that we push training so hard in our org. “Think before you click” is on everyone's mind. 

Same with us. People panic that they need to act fast without looking at the detail around what they are acting upon.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

Take a look here Cyber Security Awareness Training for Employees | Webroot

 

I believe that should be what you are looking for. 

Champion, thank you very much!

You should get SAT as a part of your standard offering to clients. We insist on it, if for no other reason that to cover ourselves!

We have SAT as part of our standard offering. It is very helpful, and we’ve had to deal with a lot fewer breaches as a result.

SAT Training is a must!

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

Take a look here Cyber Security Awareness Training for Employees | Webroot

 

I believe that should be what you are looking for. 

Champion, thank you very much!

You should get SAT as a part of your standard offering to clients. We insist on it, if for no other reason that to cover ourselves!

Absolutely. SAT is heavily pushed now. It has to be

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

This is not something new and something easy to try and catch. simple training like what Webroot offer really does help.

Where can I get access to this? I've got endpoint protection and dnsp for clients but the ability to provide some training would be good

Take a look here Cyber Security Awareness Training for Employees | Webroot

 

I believe that should be what you are looking for. 

Champion, thank you very much!

You should get SAT as a part of your standard offering to clients. We insist on it, if for no other reason that to cover ourselves!

It will be moving forward, we are effectively a startup that has bought a company and rebranded, as part of this all systems, services, products etc have been / are being reviewed and updated. 

I never click links. I’ll either enter the company name by hand, or paste the link into a text document for examination first. Takes longer, but I feel safer for it. Scary ones for sure. 

I never click links. I’ll either enter the company name by hand, or paste the link into a text document for examination first. Takes longer, but I feel safer for it. Scary ones for sure. 

Good plan. I often do this first to see what the link is.

Sad you have to.be so untrustworthy.

I never click links. I’ll either enter the company name by hand, or paste the link into a text document for examination first. Takes longer, but I feel safer for it. Scary ones for sure. 

I actually do the very same. Even if it is from a “trusted”: source, I always check before I just simply click. Unfortunately, in the current era we live in, we have to be super paranoid. 

Yep, If you’re not paranoid, you’re not safe!

 

I never click links. I’ll either enter the company name by hand, or paste the link into a text document for examination first. Takes longer, but I feel safer for it. Scary ones for sure. 

Sound advice for anyone that is unsure or wants to air on the side of caution. I will always check a link before clicking it. 

It used to be just an easy step of checking the spelling and grammar as they used to have really poorly written sentences.

nowadays, most scams are written very well and the links look real. Definitely a good idea to go to the main companies site and navigate from there or copy the link into a text document and check

Reply


Terms & Conditions