The stats are alarming: In 2021, the Internet Crime Complaint Center (IC3) received nearly 20,000 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.
What's more disturbing is that $2.4 billion signifies a 28% increase over 2020 and an average loss of $25 million, according to Craig Temple of Proofpoint, a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people.
Proofpoint sponsored a recent SecureWorld webcast titled Preventing Threats by Protecting Against Business Email Compromise on September 20, 2022. Click the link to register and watch the 90-minute presentation on-demand.
In a special pre-recorded presentation to kick off the webcast, Special Agent Abigail J. Tyrrell, U.S. Secret Service, Criminal Investigation Division – Global Investigative Operation Center, says it best why BEC attacks are growing in popularity: "It's low risk for scammers but high reward."
Tyrrell said scammers using BEC schemes do not discriminate by size or type of business; any business transferring funds is and can be a target.
BEC schemes are becoming more sophisticated and are no longer limited to a single fraud scheme, with people being turned into money mules and often not even knowing they are helping criminals launder money and hurting the company they work for or a loved one they think they are assisting.
Tyrrell recalls one victim who lost several hundred thousand dollars by a BEC scheme, then his account was used to launder $1.5 million additional BEC funds. He thought he was investing in a legitimate overseas company tied to a known U.S. company, but it was bad money going after more bad money. Tyrrell and her team were able to get to the bottom of it all, but the elaborate scheme made it much more difficult.
That's where vendors like Proofpoint come in. According to Temple, a Senior Product Marketing Manager, most attacks in today's modern threat landscape are people-centric. They target and fool individuals through impersonation, hijacking real accounts and using social engineering.
Some red flags Temple said companies—better yet, company employees—should watch for include receiving emails from non-company emails, like Gmail; a "lure" tactic asking an employee or company executive "what do you think?"; or an email that appears to come from the CEO but is not from a legitimate email domain.
Some payroll no-nos to watch for are anything claiming a "new bank" being used or the need to move money, and usually with some urgency. Suppliers are a key avenue for fraudsters to take advantage of as hackers pretend to be supply vendors companies work with.
Those schemes use email messaging that plays on urgency to receive payment ("4th notice!"), notify of a payment change to a new ACH/direct deposit/wire transfer account, or invoke fear if action is not taken immediately.
Through machine learning/artificial intelligence (ML and AI), Proofpoint takes a multi-layer approach to stopping bad actors. A new behavioral engine product examines suspicious characteristics of the behaviors of these bad actors.
"Just as attackers get smarter, we get smarter," Temple said. "It's a game of cat and mouse."
Fellow Proofpoint Senior Product Manager, Dave Cook, said reporting is vital when combatting BEC threats. Proofpoint calls BEC attackers "imposters."
Cook said effectiveness reports help monitor trends, identify if threats are BEC or not, list how often attacks are shut down, and allow analysis of trends over time to see if types of attacks are increasing and what types of attacks are becoming more prevalent.
"It's important to know how your organization is being attacked most often," Cook said. "If you know that, then you understand better the tactics you can take to protect yourself."
This helps identify what type of awareness training will help a company most.
Cook said Proofpoint focuses on people-centric data. Are people with access to company funds most vulnerable? Are they targeted more often? Direct outreach to these folks, or controlled phishing campaigns, can be deployed to help prevent attacks down the road.
"Context is king," Cook said. "The numbers alone are not enough."
Applying context to data makes the numbers more relevant and empowers a simple report to become a valuable decision-making tool. This applies to comparing attacks (benchmarking) across a similar industry. For instance, is higher education experiencing the same types of attacks and what are they doing to combat those attacks?
Keith Roberts is the manager of the Cyber Incident Response Team at Abbott, a Proofpoint customer. He's been in several roles involving incident response for seven years.
"The one constant I've seen in those roles is how security operations teams are always moving forward," Roberts said. "We're staying ahead of the adversaries and their tactics."
He said they are doing so through process improvements, tool enhancements, and training of cybersecurity professionals.
He notes that BEC was not much of a thing seven years ago, but it is now pushing ransomware as a top tactic of cybercriminals.
Steps Abbott is taking to mitigate BEC-related threats include involving and interacting with financial teams—cybersecurity is everyone's job—which means increasing the awareness training for financial-related roles (and BEC specific training for those roles). In reality, everyone in the business needs to be aware and be involved, Roberts said.
In order to be effective, it is important for company cybersecurity teams to achieve buy-in from the business—beyond just the IT team.
"We really need to be a security evangelist, a salesperson, and a story teller," Roberts said.
Check out upcoming SecureWorld Remote Sessions webcasts and register today!