The FBI estimates
that business email compromise scams targeted organizations in 131 countries and resulted in $5 billion in losses over the last three years. Between 2015 and 2016 alone, these losses grew by 2,370 percent. Ironically, however, business email compromise hasn’t received as much attention as other attacks like ransomware and is the least understood cyberattack technique. The likely reason is that business email compromise is a very targeted attack, so the number of victims may be too small to make the news. But the impact per victim is often much higher, and greater awareness is critical. So what exactly is business email compromise?
Using an email address that masquerades as a familiar one — such as a co-worker's or one from a known supplier — hackers operate by gaining the trust of recipients, deceiving them into opening the email and then instructing them to wire money to a particular account or divulge sensitive information. Because the message often includes real names, correct details, and actual facts while imitating things like company templates, many recipients fall victim to the scheme.
This imitative practice is ultimately what makes business email compromise so dangerous. And in order to protect your organization and yourself from this pervasive scam, we at Zix think it's important you better understand it.
Business Email Compromise in Action
A highly lucrative scam — the average business email compromise scheme nets $30,000 per victim
. Even the most sophisticated techniques only rely on subtle social engineering that exploits victims' trust. Hackers are able to emulate known emails by making imperceptible changes to the address, such as adding an extra letter. They can also obtain an executive's specific login credentials, through a series of email scams or the dark web, and then send emails directly from his or her account, circumventing any user caution. Similar deceptions can be used to gather information from human resources or accounting that allow hackers to create future emails that are "fake" even though they're legitimate.
Because these techniques can bypass filters and evade common automated forms of threat protection — such as traffic analysis — given their reliance on known addresses or contacts, hackers can more effectively manipulate users' professional instincts: The recipients want to please their company leaders who they think are emailing them; they want to appear helpful to the organization; or perhaps they're afraid they "missed something" and automatically acquiesce to the request, which seems simple enough to fulfill. Thus, when it boils down to users having to scrutinize an email that appears — for all intents and purposes — to be credible or give up something valuable — either money or information — they are often more inclined to choose the latter.
Defending Your Organization from Business Email Compromise
Given that attacks are dynamic by nature, organizations wanting greater security need to invest in an equally dynamic protection platform. Here are four ways to hone your solutions:
- Be prepared and aware. One of the best protection solutions is not a technical one at all. Organizations should implement policies, prioritize training, and improve organizational culture, because your people can be one of the most thorough lines of defense. Individuals should be required to confirm any transaction through independent approval before wiring money, and educational programs can help people learn how to identify email red flags.
- Be vocal. In addition to training, organizations need to encourage employees to alert Information Technology professionals when a cybersecurity (or supposed cybersecurity) mistake occurs. Being alerted to changes in business email compromise practices can help IT teams moderate training as necessary, and should a breach actually occur, the sooner teams can respond, the more they can mitigate any damage.
- Be up-to-date. Pairing these person-oriented solutions with technical ones adds another layer of authentication to help busy workers and eliminate inevitable human errors. Tools like impersonation filtering, which should be included in your threat protection solution, ensure that fake messages are flagged and quarantined before they even reach the user.
- Be thorough. Organizations or their threat protection solution should use industry standards, such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) signature and Domain-based Message Authentication, Reporting and Conformance (DMARC), to verify the sender is legitimate and bolster protection.
At Zix, we know that a proactive and complete approach is the only way to combat business email compromise. Through a combination of human and technical solutions, as well as consistent updating of cybersecurity strategies, organizations can address any gaps in protection that may exist and stay ahead of highly motivated hackers. Without such a framework to support you and your team, it won't be a matter of whether your systems get breached but when.