Do your users know their cyber security basics?

Your employees (hopefully) know about the threat of phishing attacks and the potential negative impacts they can have across a business. If not, it really is time to get them clued up and aware that even a basic level of awareness of phishing attacks really can be the front line of defense for the firm’s cyber security program.

My team is busy – is it worth the effort?

In short, yes. Business Email Compromise (BEC from here on for brevity) attacks have multiplied threefold over the last three years, and doubled year-on-year in the first quarter of 2019.  

With these growth numbers showing no signs of slowing down anytime soon, it’s really time for businesses to take this threat seriously. This is especially true when you consider that the majority of those cyber breaches are triggered through BEC attacks, and mainly against SMBs.  

The basics of BEC 

Although dealing with the issue is a complex thing, the basics of BEC are actually as easy as their anagram ABC.  

BEC is the method of cyber criminals hacking into or spoofing business email systems with the objective of tricking staff into handing over passwords, financial information or even paying money directly to the hackers.  

How do the hackers do it? 

In practice, the hackers identify targets, usually senior managers or finance personnel with the requisite authority to carry out or authorize wire payments or access to the company’s financial information. These approaches are conducted through spear phishing attacks, which, to stay with the analogy, involve casting a large net that targets many employees’ inboxes with malware, with the goal that one or more of them takes the bait with one of the malicious links or attachments.  

Hackers also create fake email accounts specifically designed to hook employees in – so instead of david.smith@companyxyz.com, the email address would be david.smith@companyzyx.com. With it being so identical, unless the busy employee spots the slight discrepancy, there’s every chance that they think it’s from Mr. Smith, the CEO, click the link or attachment, and the hackers are in. 

This part of the trick is often carried out by the hackers with great levels of sophistication, as they monitor the writing styles, behaviours and phrasing of their targets’ emails in order to lure other employees into clicking. To do this, cyber criminals use a range of hackers, linguists, writers and other skilled people to effectively mimic business executives and create optimal malicious emails. Once information has been gathered, they then send a range of emails to as large a sample of employees as possible in order to increase the chances of a successful hack.  

What forms do BEC attacks take? 

While attacks continue to evolve over time and as methods develop, BEC attacks can be categorized into 5 broad themes: 

1. Fake invoices designed to look as though they are from suppliers or business partners requesting money be sent for unpaid invoices (designed to provoke quick reactions) 
2. Account hackings of an executive’s email account 
3. Attorney impersonation in which hackers mimic a firm’s lawyers in order to access critical information 
4. C-suite spoofing – this is where hackers impersonate the CEO or other executive to ask more junior employees to make bank transfers or share proprietary information 
5. Data theft – the ‘simple’ act of stealing data from a firm’s employees. This could be methods to extract PII information from HR staff, or bank details from the payroll department. 

So how can you better prepare your business for cyber hacks? 

As we’ve found in this article, BEC is a real threat to business security and data, and a failure to recognize and adequately prepare for attacks could have devastating consequences for your business. If an attack is successful and funds are leaked from your firm, recovering that money is almost impossible since hackers could physically reside anywhere in the world, making tracking and prosecution extremely difficult. 

Prevention is therefore much better than a cure. Here’s 3 steps to get started:

1. Use multifactor authentication for your users’ email accounts 
2. Change email settings at an IT level to flag up emails from outside the firm  
3. Look out for strange auto forwards setup on a user’s email account 

Perhaps most important of all is the adoption and execution of an effective phishing and cybersecurity awareness program for your users. Research from KnowB4 showed that users with no cybersecurity training opened phishing emails 30% of the time, while only 2% of those that had the right level of awareness opened the same emails.  

In summary 

Given the increasing rate and sophistication of BEC attacks, it’s vital not to leave your business exposed, or your users untrained. A simple but well-executed training plan is vital to clueing your users up to the threats, and prioritizing prevention over cure.  

References 

https://www.bbb.org/globalassets/local-bbbs/council-113/media/bbb-explosion-of-bec-scams.pdf 

https://blog.knowbe4.com/heads-up-coronavirus-phishing-attacks-skyrocket-to-30-increase