Cyber Criminals Target Business Email in Growing Cyber Threat
Author: Jeff Weeks, Sr. Vice President and Chief Information Security Officer, FNBO
Over 306 billion business emails were sent in 2020, according to information published by Statista. That number is anticipated to rise to over 361 billion by 2024.
With so many work-related communications hurtling through cyberspace, business emails have become a primary target for criminal hackers as a way to gain access to critical organizational information, including financial accounts. In fact, the FBI yearly internet crime report for 2019–the most recent year statistics have been published–reports that business email compromise (BEC) now accounts for half of reported cybercrime losses.
As cyber criminals become more sophisticated in their approach, it is important for business owners and their employees to understand the nuances of a BEC attack and be prepared to defend their organization against dangerous cyber criminals.
Understanding How a BEC Attack Works
BEC is particularly dangerous because the criminals involved with the attack don’t employ some of the more easily detectable methods of compromising the organization, such as viruses and malware. Instead, they use legitimate sounding emails to trick company employees into granting access to sensitive information or business systems and accounts.
When launching a BEC attack, criminals rely on internet research of company employees to identify a target and to gather information about the individual, such as the name of the person’s boss, their responsibilities within the organization and any personal information that could be valuable. From there, attackers plan a sophisticated assault that could take many forms.
For instance, attackers have been known to send emails from a common vendor, indicating that the payment address has changed. Once the business updates this information into their accounts payables system, payments are then sent to the attacker instead of the legitimate vendor.
Attackers have also been known to send urgent emails to employees posing as a boss or executive. The emails ask for immediate money transfers to cover an emergency situation. In this case, attackers usually hack the appropriate individual’s email account, so that employees rightly believe they are receiving a communication from within the company.
As attackers grow more sophisticated, so do their schemes, making it increasingly difficult to recognize fictitious email communications. However, most attacks employ some common elements:
- Brevity: Emails tend to be very short, usually only a couple of sentences, and often indicate that they have been sent from a mobile device.
- Urgency: Many attackers present a scenario requiring urgent action, giving the individual little time to think, and often pressuring them to bypass employer policies.
- Wrong tone of voice: Attackers may be sending an email from the email address of a business leader, coworker or vendor, but the tone or style does not sound like them.
- Changing details: Any included payment instructions will differ from those already on file, such as requesting an immediate payment to a different bank.
It’s important to educate yourself and your employees on these warning signs to hopefully stop scammers in their tracks. Domestically and abroad, the FBI reports that BEC attacks have added up to $26 billion in losses for business organizations, so it is important to understand how these attackers operate and understand how to identify fictitious emails that could result in compromise.
You can learn additional tips to protect your business from BEC by visiting the FNBO Security Center, particularly the Business Online Safeguards and Commercial Takeover Victims sections, at www.fnbo.com/security-center/.
About the Author
Jeff has been with First National Bank of Omaha for 21 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management and execution of information security for First National Bank of Omaha enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees and business partners.
Jeff is a member of FS-ISAC (Financial Services Information Sharing and Analysis Center) and PPISC (Payments Processor Information Sharing Council), MBCA Advisory Board (Mid-Size Bank Coalition of America), FishTech Advisory Board, Bellevue University Advisory Board, Minneapolis CISO Advisory Board, and he was recently appointed as an FNBO Board member. Over the course of his career, he has been awarded several professional certifications including Certified Information System Security Professional (CISSP).
The articles in this blog are for informational purposes only and not intended to provide specific advice or recommendations. When making decisions about your financial situation, consult a financial professional for advice. Articles are not regularly updated, and information may become outdated.