New Form of Cyber Attacks targeting Businesses
The FBI has just released a detailed report providing information about email scams facing businesses. They provide advice on how to recognize and avoid potential attacks. They also discuss a growing type of threat called Business Email Compromise (BEC)/Email Account Compromise (EAC). This is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. A single BEC/EAC attack on average costs the business over $84,000. So what are these attacks? How are they executed? And how can you protect you and your business from being their next victim?
What are Business Email Compromise (BEC)/Email Account Compromise (EAC) Cyber Attacks?
Business Email Compromise (BEC)/ Email Account Compromise (EAC) are a kind of cyber attack where the attacker hacks legitimate business e-mail accounts to conduct unauthorized money transfers. Sometimes the hacker will sneak their way into existing or pending transfers and other times they create entirely new transfers. They’ll also use the hacked email address to make requests for personal information. For example, they may impersonate the CEO of a company and send an email to someone in HR asking for the social security number or W-2 of an employee. Also, they may reach out to a company as the CFO of a partner company and request a money transfer that will go directly to the hacker.
These kinds of attacks can be very difficult to identify and can penetrate your network through a wide variety of ways. The FBI reported that from June 2016 to May 2018 there were 19,335 BEC/EAC attacks in the United States and a total dollar loss of $1,629,975,562. So, that means that US businesses are having roughly $2,263,855 stolen from them a day. Each attack ends up costing the victim company on average $84,302.
How to Protect Against BEC/EAC Cyber Attacks
Here are some tips that the FBI provides to help prevent and recognize possible attacks:
- Hover your cursor over, or expand details on, suspicious email addresses-Looking for indications of Display Name Deception or Spoofing. For example, maybe the name says “Jim” but the email address of your coworker says “[email protected]”.
- Do NOT hover on links within emails, as simply hovering may execute commands.
- Call a known/trusted phone number or meet in person to confirm that the wire transfer information provided to you, matches the other party’s information.
- Does the routing number or SWIFT number provided to you, resolve to the expected bank used by the other party? (For example, did you receive a wire transfer request from a Hong Kong based bank but the business you’re doing business with only banks in the United States.) You can verify routing or SWIFT numbers by visiting The Federal Reserve www.FRBServices.org or the American Bankers Association https://routingnumber.aba.com
- Regularly check your email account log-in activity for possible signs of email compromise
- Develop an intrusion detection system to identify emails from extensions that are similar to your company email
- Regularly check your email account for new “rules”, such as email forwarding and/or auto delete
- Be cautious of “new” customers, suppliers, clients and/or others you don’t know who ask you to: Open or download documents they send, sign into a separate window, click on a link to view an invoice or document or provide sensitive personal or corporate information.
- Verify the wire instructions you provide to your customers/clients are accurate for both the pertinent bank and pertinent account. Where did you get the account data? Is this the correct account number?
Training and Staying Alert
The key to avoiding an attack like this is to stay alert. Most of these attacks can be avoided if you know what to look out for. By following these tips that the FBI has stated above, and by always looking out for the warning signs you can stay safe. Also, it’s important to train all of your staff regularly on these principles. This will help to protect your business as well.
To learn more about protecting your business from cyber attacks, get a free assessment from an expert consultant about IT Services in Seattle, IT Support in Spokane, or Managed IT Services in Utah or Oregon.