High-profile ransomware incidents such as the WannaCry and NotPetya outbreaks have grabbed headlines this year, but according to networking vendor Cisco the rise of ‘business email compromise’ (BEC) often represents a more significant financial threat for organisations.
“BEC scams are aimed at big targets — and big targets have fallen victim to them, even though such organizations may have mature threat defenses and safeguards against fraud,” state’s Cisco’s midyear cyber security report.
“Both Facebook and Google have been victims of BECs and wire fraud. Because BEC messages don’t contain malware or suspect links, they can usually bypass all but the most sophisticated threat defense tools.”
Figures from the FBI’s Internet Crime Complaint Centre (IC3) reveal that between October 2013 and December 2016 it received more than 24,000 complaints from US and international victims of BCE with a combined exposed dollar loss of almost US$1.6 billion (‘exposed dollar loss’ includes actual and attempted loss).
However, drawing on multiple sources IC3 says it is aware of more than 40,000 BCE incidents in that same timeframe with a combined exposed dollar loss in excess of US$5 billion.
In contrast, ransomware has been estimated to cost around US$1 billion a year in the US, according to Cisco.
“BEC differs from other email-based threats because it generally involves impersonating an authorised or credentialed person within a company to direct another person whom has financial authority to transfer funds outside of the company, generally to an offshore account,” said Anthony Stitt, general manager of security for Cisco Australia and New Zealand.
“For example, a CFO emailing a financial controller requesting urgent payment of an invoice. Unlike other forms of email threats, BEC doesn’t involve technical exploitation via malware attachments or links to malicious websites, which one might normally associate or expect with phishing.
“Essentially, the fraudsters are attempting make an illegitimate request look legitimate, with the sums of money often comparably large, which is another key differentiator of BEC to other email-based security threats.”
Stitt said that Cisco hasn’t complied figures for the impact of BEC on Australia, but anecdotally the company knows of big, small and medium organisations hit by the scam.
“At Cisco, we’ve spoken to organisations that have been the target of such attacks or traps, with large sums involved — four, five, six, seven, eight figures — although most requests commonly fall in the $25,000 to $50,000 range,” he said.
The target of BEC can be anyone with the credentials to conduct or authorise a transfer of funds, with criminals often performing substantial research to target the right individual with the right messaging, he said.
“At Cisco, we have also seen hybrid attacks, whereby the criminals have clearly infiltrated ‘accounts payable’ and have knowledge of invoice numbers, regular payments, realistic payment amounts, etc.” he added.
“This means their email requests are often appear legitimate, with just a change in payee account for example, which may be missed for whatever reason.”
The nature of BEC means that technical solutions often aren’t enough to protect a business, though there are measures, such as implementing two-factor authentication for fund transfer approvals, than can reduce the likelihood of an organisation falling victim.
“Awareness training is essential,” Stitt said. “This needs to occur at all levels of business or within an organisation, from the CEO down, it needs to be tailored to the person or group based on their role or function. Regular testing of staff proficiency in recognising threats must also take place.
“Employees or users need to remain vigilant and analytical to requests for access, approvals, transfers and actions involving financial transfers or commitments.”
“Emails, text messages and even phone calls need to be verified and treated as though they are suspect,” he added.