[BreachExchange] The Sophisticated Hack: Business Email Compromise

[Audrey McNeil]

http://www.jdsupra.com/legalnews/the-sophisticated-hack-business-email-40434/

Gone are the days of the overtly suspicious request from a Nigerian prince
asking for your social security number or a friend needing a loan to get
out of jail in a foreign country. These easily recognizable hacking
attempts have been superseded by a much more dangerous form of
cyber-attack, the Business Email Compromise (BEC). According to the FBI,
from October 2013 to August 2015, over 8,000 businesses fell victim to a
BEC attack for combined losses of over $1.2 billion. The prevalence of BEC
continues to rise dramatically. There was a 270 percent increase in BEC
victims between January and September of 2015.

BEC hacks carefully target employees with the authority to transfer large
sums of money by impersonating their boss, a supplier, or a client and
requesting a wire transfer. This form of the common spear-phishing scam is
highly sophisticated and well planned; a far cry from the emails riddled
with typos that you – and your employees – have come to recognize as hacks.
In some cases, the hacker has infiltrated the corporate email system and is
actually sending emails from a recognized address. In others, there are
such minor modifications in the hacker’s email extension, as in
address at companyABC.com vs. address at companyABC.co, that the spoof emails
slip past even the well-trained eye. BEC hackers also research social media
and corporate websites to mimic communication styles and reference
non-fraudulent company matters.

By targeting employees, hackers bypass technical avenues and instead
leverage the human tendency to follow directions and be of service. Indeed,
industry analysts and IT professionals view people as a company’s weakest
link against cyber-attacks. Beyond the immediate financial losses of
fraudulent fund transfers, many states have enacted legislation that
creates a private right of action for victims of a data breach if proper
internet security and notification measures are not taken. If hackers are
able to trick employees into wiring money, they are also able to gain
access to personal information stored on company servers, potentially
magnifying losses.

The good news is that there are pro-active measures that employers can take
to equip their staff to recognize BEC attacks. As a first line of defense,
the FBI recommends requiring telephone or in-person confirmation for fund
transfers. IT teams can create intrusion detection systems to flag emails
with extensions that are similar but not identical to company e-mail.
Finance departments can also provide security by requiring funds transfers
to go through the usual payment process rather than wiring funds to new
accounts. Also, beware of unexpected urgency. Some spoof emails prey on the
natural desire of employees to rush to meet time sensitive requests causing
them to skip important security steps. Cyber security training should be an
ongoing and company-wide priority for employers so that one of their own
employees doesn’t unwittingly give away the keys to the castle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160224/eefdb9a1/attachment-0001.html>