Trend Micro Incorporated, a security software and solutions company, published its security roundup report H1, 2016, “The Reign of Ransomware”. The report highlighted that over 180 Indian Companies were affected with Business Email Compromise (BEC) Schemes. The report provides extensive data surrounding the rise and impact of attacks, including $3 billion in losses due to business email compromise (BEC) scams so far in 2016, as well as nearly 500 vulnerabilities in a variety of products.
Business Email Compromise (BEC) schemes are scam tactics which compromise business accounts in order to facilitate an unauthorized fund transfer. Today, they are considered one of the most dangerous threats to organizations. As Trend Micro predicted, 2016 has proven to be a year of online extortion through various malicious attack methods.
In total, 79 new ransomware families were identified in the first six months of the year, which surpasses the total number of new families found in all of 2015. Both new and old variants caused a total of US $209 million in monetary losses to enterprises. Ransomware attacks found in the first half of 2016, like BEC scams, originated from emails 58 percent of the time.
“While it’s unfortunate for us, cybercriminals are resilient and flexible when it comes to altering an attack method each time we find a patch or solution,” said Ed Cabrera, chief cybersecurity officer for Trend Micro. “This creates massive problems for enterprises and individuals alike since the threats change as often as solutions are provided. It bodes well for businesses to anticipate being targeted and to prepare accordingly, implementing the latest security solutions, virtual patching and employee education to mitigate risks from all angles.”
The effectiveness of BEC scams lies in the techniques employed against its preferred targets. Attackers are able to deceive victims by combining their knowledge of social engineering techniques and well-researched information about the target. Most of the time, attackers behind BEC scams impersonate people who have access to a company’s finances—may it be a company’s CEO, managing director, CFO, or even financial controller.
Based on our monitoring from January 2016, we observed that BEC scams often targeted CFOs more than any other position in a company. Once attackers had picked someone of authority to spoof, their next move would involve tricking their victims to permit a fund transfer to serve as payment for an invoice or perhaps a legal settlement.
Some attackers include keyloggers in BEC campaigns to steal confidential information they can use for illegal transactions. BEC scams are treacherous. Though their design is extremely simple, the tactics attackers use for a successful BEC campaign is quite complex and effective as it appeals to people’s respect for authority.
Therefore, an effective way to defend against BEC scams should be a mixture of proper employee education and security solutions that will help identify threats even before they reach a person’s inbox. Employees can be considered the last line of defense from BEC scams, so businesses must enact best practices for employees to follow when dealing with emails that urge them to make fund transfers. Some of these best practices may involve carefully scrutinizing emails requesting payment, raising employees’ awareness of the existence of scams such as BEC, and reporting deceitful incidents to law enforcement agencies.
Since most BEC scams do not involve malware, traditional email solutions that only detect emails with malicious links or attachments are not enough to stop BEC. An email solution that is able to flag social engineering techniques is needed to effectively block malicious email messages that are used in BEC campaigns.