Business Email Compromise: More Attacks, More Money Lost
Back in April, we highlighted some sobering statistics from an FBI alert related to phishing attacks known as business email compromise (BEC), which generally result in wire transfer fraud or data breaches of sensitive tax or corporate payroll information. Just over two months later, the news is worse than ever, with reported incidents and lost funds ballooning at an alarming rate.
An FBI public service announcement released earlier this month noted a “1,300% increase in identified exposed losses” since January 2015 for BEC attacks involving fraudulent fund transfers (via wire or check). The June 2016 PSA’s statistics, when compared to the BEC PSA released in August 2015, shows a marked increase across the board and offers a fair warning that this cybercrime variant shows no signs of abating:
|August 2015 PSA||June 2016 PSA|
|$1.2 billion in identified exposed losses between October 2013 and August 2015||Nearly $3.1 billion in identified exposed losses between October 2013 and May 2016|
|BEC scams reported in all 50 U.S. states and 79 countries||BEC scams reported in all 50 U.S. states and 100 countries|
|8,179 domestic and international victims between October 2013 and August 2015||15,668 domestic and international victims between October 2013 and May 2016|
|Fraudulent transfers sent to 72 countries||Fraudulent transfers sent to 79 countries|
How to Fight BEC Attacks?
In general, BEC attacks are phishing attacks; as such, “everyday” anti-phishing best practices will help protect your organization against these and other email-based social engineering scams. But because of the costly damages associated with business email compromise and the heightened sophistication level of many of these attacks, organizations that regularly perform wire transfers should take advanced precautions, including the following:
- Emphasize the risk to key personnel – Individuals who hold the keys to the kingdom should absolutely be told…and told again…and told again about the realities and increasing prevalence of BEC attacks. No organization is immune.
- Implement a multilevel approval chain for all fund transfers – This may seem like a no-brainer…but it’s clearly NOT happening in all organizations. More than one person should have to be involved in approving a fund transfer; more eyes on a request means more opportunities to identify fraud. At minimum, executives in your organization should agree to a voice-to-voice confirmation of a transfer request (email shouldn’t cut it), and employees should be instructed to call any outside requestor at a trusted number to obtain voice-to-voice confirmation.
- Immediately question any transfer that routes to Asia – Yes, the FBI’s statistics state that fraudulent payments have been sent to 100 countries. But the PSA also states that the “majority [are sent] to Asian banks located within China and Hong Kong.” Even if — or perhaps especially if — you regularly transfer funds to banks in these countries, all requests should be double (or triple) checked for legitimacy.
- Train at all levels – Some organizations excuse certain portions of their employee base from cybersecurity training — and that is a dangerous game to play. As we’ve noted in the past, cybercriminals are all too eager to attack managers, executives, and employees who have access to valuable data and systems. Social media outlets like LinkedIn have made it easier than ever for social engineers to develop strategic attacks. Knowledge is power…and it could be all that stands between your organization and a multi-million-dollar loss.
Our approach to security awareness training helps improve knowledge retention and drive lasting behavior change. Explore our portfolio of interactive training options, including our new Security Essentials for Executives module. We help you deliver actionable cybersecurity education to employees at all organizational levels.
Subscribe to the Proofpoint Blog