Ransomware is the current golden child when it comes to malicious cyberattacks, but did you know that business email compromise (BEC) attacks cost the world more?
BEC losses during the last five years total at least $36 billion.
In addition to the financial burden and emotional stress, BEC attacks span a wide range of victims, from businesses to individuals, according to Stephen Dougherty, Financial Fraud Investigator for the U.S. Secret Service Global Investigative Operations Center (GIOC). In some cases, business owners can lose everything.
"It's the American dream to make money, and they [a family] were able to set up their own construction company. They were hit with a BEC attack and lost approximately $200,000. Then he wants $1,000 to be used to buy equipment, so that they can fulfill a contract and a job they had. They're unable to purchase that equipment. They were unable to deliver on the contract. They were not paid. And, unfortunately, the company went out of business and that family lost their American dream," Dougherty says.
Ryan Witt, Proofpoint's Managing Director for Healthcare, who joined the SecureWorld webinar, Protecting Healthcare from Email Fraud Attacks, also shared the sentiment that BEC attacks have a larger impact than ransomware.
"Ransomware is kind of one of those kitchen table sort of topics. But the reality is... financially, there's much more harm in the business email compromise, particularly as it's happening within the supply chain."
While Dougherty's and Witt's session did a deep dive into specifics for the healthcare sector, much of what they discussed could translate to safeguarding any industry.
Evolution of the business email compromise attack
BEC attacks start when a bad actor steals information and then uses social engineering techniques to get the victim to transfer funds into a false account.
It begins with an email correspondence the victim is expecting related to a financial transaction, then that information is compromised through hacking or other means.
Before the victim knows it, they have been conned into transferring their entire life's savings or some of their business's budget into a malicious hacker's bank account. The Secret Service's Dougherty has many examples of this technique, especially when it comes to real estate.
"I've talked to individuals who have fallen victim to this. They've gone to closing and were told that they were not going to get their home, and unfortunately had already sold their prior home. So they actually ended up being homeless for a period of time because they had lost all their savings. So with those factors, and many more, BEC causes some major threat to the U.S. economy," Dougherty says.
While many of these statistics are tied to healthcare organizations, scrolling through cybersecurity news on any given day shows how all critical infrastructure is being impacted.
Witt says the COVID-19 pandemic is a perfect example of how cybercriminals have evolved and how healthcare has become a main point for cyberattacks.
"[In the beginning], we didn't even call it COVID, we called it novel coronavirus, and WHO (World Health Organization), and we're [The U.S.] launching ethics websites, and then we went to the situation where stimulus was being sent out and a situation where people are trying to get vaccine IDs and why not get a vaccine passport.
Point is, as the news cycle evolved, almost to the day, the attacker techniques evolved.... You can track the news cycle and their tactics almost hand in hand."
In a similar fashion to how sales or marketing people work, cyber scammers figure out demand. But instead of doing something legitimate, they organize a lucrative operation to steal from people based on their needs and desires.
But what security measures can be taken to help stop these attacks before they begin? The SecureWorld News team has compiled a few things you can do at your organization.
5 ways to guard against email fraud cyberattacks
1. Educate and defend against phishing attacks.
Whether it's ransomware, BEC, or many other kinds of cyberattacks, phishing is often the common denominator.
Witt suggests putting a focus on credential phishing, since it is one of the most plausible ways an attacker can get into your system. He also says file sharing services, such as SharePoint, Dropbox, and others, are an easy entry point.
"Look at some of the tactics that were discovered earlier in terms of spoofing email addresses and doing the social engineering to write emails that were very reflective of the recipient email. The email comes from a person, he writes that note to you, he writes an email in a way that the language is natural for that person, and it's reflective of the recipient. He's [the attacker] asking somebody that you would expect asking a question or making an observation or wanting you to do an action that would be expected from that person, and then that action was a follow-up sort of outcome where you need to go get more information, and ultimately file share."
The level of social engineering that goes into these attacks is substantial, and with 96% of attacks having some element of human interaction, it is critical to train and educate your workforce—especially departments that handle money, such as accounting—how to notice when something does not seem right.
2. Determine who in your organization is the most likely to be targeted.
Money is the ultimate end game for a malicious hacker. According to statistics presented by Witt, the accounting department is the most likely target in the healthcare industry, and likely in other sectors as well, because of their connection to the finances.
"Supplier fraud is really an area of focus for bad actors for a whole lot of reasons. One is they're almost always looking for a monetize angle to their attacks. That monetize angle generally is financially oriented, i.e., they're trying to intercept a wire transfer or trying to get you to buy gift cards or whatever some sort of direct financial outcome they're looking for," Witt says.
3. Be sure to perform due diligence when employees leave your organization.
Old accounts could be an access point for hackers.
"One of these accounts fully taken over were using an old accounts receivable that had been dead for about two years. But all of a sudden, as the attack occurred, they [the hacker] started using that accounts receivable email address, because it wasn't being monitored by anybody," Dougherty says.
Witt also added that accounts with multiple aliases could be a target, including accounts where an employee has left but the rest of the team was not notified.
4. Put an emergency plan in place early.
As many of us know all too well, once an attacker gets into your organization's network, it could be too late.
Witt said one CISO in the healthcare industry gave the following advice.
"If you are focused on a ransomware attack, you're probably too late because that ransomware attack probably occurred because they got access to your network, into your environment through credential phishing."
Unfortunately, once these attacks are in motion, it can be difficult to stop them unless you act quickly.
Dougherty says there is hope if you move fast, though.
"One of the first things you should do is contact your bank and let them know that the fraud is occurring, what has happened, and hopefully they can get out wire recalls or hold harmless and indemnification.
So definitely contact your bank and immediately stress to the bank contact... if the money goes overseas, financial reporting tool chain can be done within 72 hours above a certain amount, and that's where FinCEN [Financial Crimes Enforcement Network] will notify our financial intelligence unit that just occurred, then they'll help you run that money back."
5. Form a relationship with law enforcement and report cybercrimes.
To date, the U.S. Secret Service has recovered a whopping $180 million in BEC losses.
Dougherty says building a relationship with law enforcement and learning the best procedures for reporting a cybercrime could be part of your community outreach.
Cybercrimes are severely underreported, but here is a great reason why it is critical to report attacks.
"Reporting helps to prevent future attacks. I can't tell you how many times where I've been reported a bank account that was being used with seed funds to go and look in that bank account, and within the same day it received $500,000 from another victim," Dougherty says.
These are just a handful of the ways you can ensure your organization has the best security practices in place. If you missed this Remote Sessions webcast, you can access it on-demand here.