FBI Cyber Scam Warning: BEC Scams Cost Businesses $215 Million over 14 Months
The FBI recently issued a warning pertaining to a growing problem which is seeing businesses targeted by attackers using compromised email accounts as the springboard for diverting company funds meant for legitimate vendors. GDF’s founder weighs in on the warning and how social engineering testing can help raise user awareness against attacks like these, as well as other types of email based attacks.
Email correspondence is second nature in today’s digital world because of all the inherent advantages it affords. Among those advantages it provides a dated written record which can easily located and reviewed at any time, it can be sent in the middle of the night and will be waiting for the recipient whenever they next check their mail, and it can be accessed from just about anywhere in the civilized world on a host of different devices. So it’s no wonder that for most businesses today it is an integral part of daily operations. But what happens when an email account is hacked?
The FBI released a warning for businesses last week, on January 22nd, about a type of scam dubbed the BEC (Business Email Compromise), which they tabulated to have cost businesses worldwide $215 million in losses over 14 months, almost $180 million of which was suffered by US businesses alone. While the BEC scam seems to specifically target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments, “the lessons that need to be learned apply to any kind of business that uses email as part of their daily routine,” says Joe Caruso, the founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City.
“First and foremost, cyber scams, like most confidence jobs, depend on leveraging trust,” says Caruso. “Compromised email systems and accounts give scammers ample ammunition to do just that, gain the trust of a user, or users, within an organization to help them achieve their endgame, which can be anything from long term cyber espionage campaigns to actual money heists, any of which can devastate a business. Just think about everything you do through email correspondence on a daily basis, and then imagine all of the information you divulge to trusted recipients falling into the wrong hands, the recent Sony hack being a great recent example. They’ll see your invoices, they’ll know when you are going on vacation, they’ll see who you trust and how you interact with each other, they’ll have account numbers and other inside information on your vendors, investors and every other relationship you’ve used email to communicate with. Put all that information in the hands of a motivated hacker and the sky really is the limit to the damage they can do. Spear phishing at that point really turns into something more akin to shooting fish in a barrel.”
Test, Assess, Address
“Spam, phishing and spear phishing have long been the leading ways intruders initially infiltrate business networks, but spotting those bogus emails is getting harder every day, and if they have insider information gleaned from a compromised email account, that task becomes exponentially harder,” warns Caruso. “That’s why we offer an optional social engineering component to our professional penetration testing offerings, because if we can help you test, identify and educate the weakest part of any cyber security chain, individual users, it will significantly strengthen the organization’s overall cyber security posture. The lessons learned from our social engineering testing can help everyone in an organization improve their ability to distinguish between real and fake correspondence, and if we can get that done, they can then easily use old-school easy-factor authentication – pick up the phone and call the right party for verification. That simple ‘if you doubt it, call about it’ approach can save more headaches and hardships than you can imagine, without killing your budget. The key is getting everyone on the same page on what to watch out for, which we help organizations with every day.”
“The cyber threat landscape is constantly evolving and it can be a daunting challenge to keep up with it all if it is not your prime focus every single day,” says Caruso, “but it is our main focus and it’s what we do best. So give us a call and talk to our experienced security specialists about customized solutions that can help you keep you doing what you do best.”
The Right Experts for the Job
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.