Once again, the FBI is warning enterprises to be on the lookout for sophisticated online scams involving the most popular of legacy technologies — email.
The term “business email compromise” (BEC) has led to more than $5.3 billion of documented fraud between October 2013 and December 2016, according to a May 2017 FBI alert. More shocking, “between January 2015 and December 2016, there was a 2,370 percent increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries.”
What I find most troubling is that these sophisticated online attacks are rarely high tech. Rather, social engineering of human weaknesses is evolving. After fraudsters conduct surveillance and learn the details of your office business process, they use a mix of compromised email accounts, impersonation, legitimate communication channels and real business contacts to trick staff into high-dollar fraud.
In simple terms, this is a remake of the 1973 classic movie The Sting with a 21st-century, tech-savvy twist. The bad guys are using a mixture of online messages in cyberspace, along with phone calls, faxes and more to earn your team’s trust. But before we get to solutions, let’s look at how we got into this mess in the first place.
For decades, enterprises have been fighting external threats delivered by email. Remember the Melissa virus, which first appeared in March 1999 and was triggered by opening Microsoft Word documents? Once a PC was infected, the virus would send the document (and therefore itself) in an email message to the first 50 people in the person’s address book.
In 2000 came the ILOVEYOU virus, which was triggered when people clicked on email attachments. ILOVEYOU sent copies of itself to everyone in the victim’s address book and started corrupting files on the victim’s machine.
When more and more enterprises started scanning email attachments for viruses and not allowing infected files through, Internet attacks evolved and started delivering malware via emails with hyperlinks that led to bad things. These email phishing scams arrived into millions of inboxes looking like they were sent by trusted brands like PayPal.
Moving on, phishing attacks continued to evolve into spear-phishing, which further refined online attacks by using targeted information and specific data about a company or organization. The latest version of phishing 3.0 is sometimes called “whaling” since it goes after the biggest fish with hyper-targeted attacks, like the FBI alert scenarios. Remember that ransomware and other cyberattacks are still delivered via email attachments and links.
So how can we learn from history and stop BEC before it affects a government near you?
First, constantly educate staff about cutting-edge fraud techniques like BEC. Don’t keep rehashing old security awareness materials and expect to stop online fraud. Update your training as often as you update your smartphone.
The best training is brief, frequent and focused on the issue at hand. Enterprises need to constantly retrain and keep security awareness messages front and center via multiple channels, including newsletters, posters and lessons using gamification.
Second, review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be redone.
Consider new policies related to “out of band” transactions or urgent executive requests. An email from an executive’s Gmail or Yahoo account should automatically raise a red flag to staff members, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well understood by all.
Finally, review, refine and test your incident management and phish reporting systems. After business process expectations are clear, test staff with simulations of incident scenarios. Conduct a tabletop exercise with management, including key personnel, on a regular basis. Test controls and encourage staff recommendations.
Remember, online criminals are always changing and adapting their sophisticated attacks. Are you ready?