A man looks at laptop in office at night. Image: Getty / Shannon Fagan
If you were asked about the biggest cybersecurity threats businesses face, what would come to mind first?
Maybe it doesn’t stop ransomware attacks, with cybercriminals encrypting networks and demanding large sums of money for a decryption key – even from hospitals. Or maybe it’s a sneak malware attack this allows hackers to hide inside the network for months on end, stealing everything from usernames and passwords to banking details.
Both of these should definitely be on the list, these are terrible attacks to experience and can deal horrendous damage. But there is another, much simpler form of cybercrime that makes scammers the most money by far – and not much attention.
But the scale of business email intrusion (BEC) attacks is clear: according to the FBI, total lost to BEC attacks is $43 billion and continuingwith attacks reported in at least 177 countries.
What makes BEC such a rich opportunity for scammers is that it rarely needs to be a highly skilled hacker. All someone really needs is a laptop, an internet connection, a little patience – and some nefarious purposes.
At the most basic level, all a scammer needs to do is figure out who the boss of a company is and set up a fake, fake email address. From here, they send a request to an employee who says they need a financial transaction done quickly – and quietly.
UNDERSTAND: The next big security threat is staring at us. Solving it will be very difficult
It’s very basic social engineering attack, but usually it works. An employee who wants to follow his boss’s orders can quickly approve a transfer, which can run into the tens of thousands of dollars or more – especially if they think they will be punished for delaying an important transaction. important.
In more advanced cases, attackers would break into the email of your colleague, boss, or client and use their real email address to request a transfer. Of course, it’s not just employees who tend to be more trusting something really comes from someone they knowScammers can view inboxes, wait for an actual financial transaction to be requested, then send an email from the hacked account containing their banking details.
By the time the victim realized something was wrong, the scammers had already taken the money and left long ago.
The most challenging thing about BEC attacks is that while it is a cybercrime based on the misuse of technology, there is really little technology or software can do to help stop the attacks. because it’s basically a human problem.
A good anti-virus and email spam filter can prevent emails containing malicious links or malware from reaching your inbox. But if a legitimately hacked account is being used to send requests to victims simply by using messages in an email, that’s a problem – as far as software is concerned, nothing nefarious to detect, it’s just another email from your boss or your colleague. .
And the money wasn’t stolen by clicking a link or using malware to drain the account – it was transferred by the victim to an account they were supposed to be legitimate. No wonder it’s so hard for people to realize they’re making mistakes.
See: Insidious crooks are now posing as cybersecurity companies to trick you into installing malware
But blaming the victim is not the answer and won’t help – if anything, it will only make matters worse.
It is important in the fight against BEC attacks to ensure that people understand what these attacks are and have processes in place that can prevent the transfer of funds.
It should be explained that it is very unlikely that your boss will email you with a very urgent handover request with no questions asked. And if you’re really worried, ask a coworker – or even talk to your boss to ask if the request is justified. It seems counter-intuitive, but it’s better to be safe than sorry.
Businesses should also have procedures in place around financial transactions, especially large ones. Can an employee authorize a business transaction worth tens of thousands of dollars? Sure is not.
Businesses should make sure multiple people approve the process – yes, that can mean transferring finances takes a little longer, but it helps ensure that funds aren’t sent to scammers. and cybercrime. That business transaction can wait a few more minutes.
Technology can help to a certain extent but the reality is that these attacks exploit human nature.
ZDNET’s SECOND OPENING
ZDNet’s Monday Opener is our inaugural tech show of the week, written by members of our editorial team.
BEFORE ZDNET’s SECOND OPENING DAY:
