More than 180 Indian companies were affected and $3 billion reported in losses due to Business Email Compromise (BEC) Schemes revealed security software and solutions firm Trend Micro’s security roundup report H1, 2016, “The Reign of Ransomware.”
The report provides extensive data surrounding the rise and impact of attacks, including $3 billion in losses due to business email compromise (BEC) scams so far in 2016, as well as nearly 500 vulnerabilities in a variety of products.
Business Email Compromise (BEC) schemes are scam tactics which compromise business accounts in order to facilitate an unauthorized fund transfer. Today, they are considered one of the most dangerous threats to organizations. As Trend Micro predicted, 2016 has proven to be a year of online extortion through various malicious attack methods.
In total, 79 new ransomware families were identified in the first six months of the year, which surpasses the total number of new families found in all of 2015. Both new and old variants caused a total of US $209 million in monetary losses to enterprises. Ransomware attacks found in the first half of 2016, like BEC scams, originated from emails 58 percent of the time.
“While it’s unfortunate for us, cybercriminals are resilient and flexible when it comes to altering an attack method each time we find a patch or solution,” said Ed Cabrera, chief cybersecurity officer for Trend Micro. “This creates massive problems for enterprises and individuals alike since the threats change as often as solutions are provided. It bodes well for businesses to anticipate being targeted and to prepare accordingly, implementing the latest security solutions, virtual patching and employee education to mitigate risks from all angles.”
The effectiveness of BEC scams lies in the techniques employed against its preferred targets. Attackers are able to deceive victims by combining their knowledge of social engineering techniques and well-researched information about the target. Most of the time, attackers behind BEC scams impersonate people who have access to a company’s finances—may it be a company’s CEO, managing director, CFO, or even financial controller.
Some attackers include keyloggers in BEC campaigns to steal confidential information they can use for illegal transactions. BEC scams are treacherous. Though their design is extremely simple, the tactics attackers use for a successful BEC campaign is quite complex and effective as it appeals to people’s respect for authority.
Therefore, an effective way to defend against BEC scams should be a mixture of proper employee education and security solutions that will help identify threats even before they reach a person’s inbox. Employees can be considered the last line of defense from BEC scams, so businesses must enact best practices for employees to follow when dealing with emails that urge them to make fund transfers. Some of these best practices may involve carefully scrutinizing emails requesting payment, raising employees’ awareness of the existence of scams such as BEC, and reporting deceitful incidents to law enforcement agencies.