Business email compromise is a massively expensive problem. Here are three tips to making sure yours isn’t next to take the bait.
Office Hours, our recurring discussion group where we take users' COVID-related questions, continues to generate some really thoughtful submissions. Occasionally, they're so worthwhile we like to take some time to expand on certain topics.
If anything deserves a second look in the era of the coronavirus and work-from-home, it’s the challenge of business email compromise. More than $26 BILLION in losses were reported to the FBI's Internet Crime Complaint Center (IC3) between June 2016 and July 2019 as a result of BEC. That’s almost equal to Cambodia’s entire economic output in 2019.
And the IC3 anticipated in a statement in early April that the problem would only be worsened by the epidemic as cybercriminals seek to capitalize on confusion and uncertainty to steal money or valuable data. So when a user asked what can be done to protect against BEC, yeah, we thought that fell in the category of worthy of expansion.
First, a brief refresher on BEC as an attack tactic. This form of phishing relies on some type of contrived pretext to request a payment or purchase be made on the attacker’s behalf. Probably the most well-known example of this scam involves an urgent request for gift cards to be purchased and sent to “a client.” But since being well-known isn’t an especially desirable accolade for an attack, here’s another, real-world example reported to the FBI:
"A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed 'due to the Coronavirus outbreak and quarantine processes and precautions.' The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed."
It's clear how topical, tricky and ambitious these attacks can be. Here are our top tips for protecting users and businesses from BEC-enabled attacks. (And the FBI has some pretty good ones too covered in the links above.)
1. Slow down
Hook, Line and Sinker: Why Phishing Attacks Work was Webroot’s attempt to understand the psychology behind phishing attacks and why they work so well. By teaming up with researchers and academia, we learned that when context and familiarity (an email from your boss) mix with a sense of urgency (I need this done now!), users tend to lose some of their critical thinking capabilities.
Red flags should include any last-minute changes to formal processes, a sense of urgency added to otherwise routine business dealings, or requests to alter payment information like bank accounts or routing numbers. And don’t forget the basics of spotting a phishing attack: look for spelling errors, overly general language, hover over links before clicking, and verify the sender’s email information matches who they claim to be.
2. Don’t trust. Verify
Never use the same channel, in this case email, to verify the identity of the requester as the one where the request was made. Pick up the phone and call. Cybercriminals know it’s tougher to walk down the hall to a colleague’s office these days, so it’s time to hop on the phone. Video chat software is ubiquitous these days, so don’t be afraid to use it to verify that that wire transfer really does need to be made ASAP. Any request involving cash or personally identifiable information warrants this extra caution.
3. Prepare for the inevitable
A BEC scam will eventually target your business, so use all the technology at your disposal to ensure it doesn’t succeed. Machine learning-enabled endpoint security solutions can help identify sites associated with phishing activity. That includes today’s phishing sites, which tend to be active for only minutes or hours.
Next, address the people problem. Train all users to spot these attacks and teach them what they can do to prevent a costly breach of their organization. Webroot testing data shows that phishing simulations have measurable effects on an employee’s ability to spot and stop an attack from succeeding, especially when training is ongoing. Our stats indicate that:
- The average click rate for the first campaign is 11%
- The average click rate for campaigns 2-3 is 8%
- The average click rate for campaigns 7-10 is 6-7%
- The average click rate for campaigns 11-14 is 5%
- The average click rate for campaigns 22-24 is 2%
Compared to a successful BEC attack, the investment in user training is minimal. Where these trainings to be conducted with small businesses across the country, the U.S. economy could prevent the theft of billions of dollars. Often, all it takes is a little awareness of the threats facing users.
Our newest research on phishing attacks and user (over)confidence, “COVID-19 Clicks: How Phishing Capitalized on a Global Crisis” is out now, check it out!