PITTSBURGH, PA—(Marketwired – July 28, 2016) – Back in April, Wombat Security Technologies highlighted some sobering statistics from an FBI alert related to phishing attacks known as business email compromise (BEC), which generally result in wire transfer fraud or data breaches of sensitive tax or corporate payroll information. Just a few months later, the news is worse than ever, with reported incidents and lost funds ballooning at an alarming rate.
An FBI Public Service Announcement released in June noted a “1,300% increase in identified exposed losses” since January 2015 for BEC attacks involving fraudulent fund transfers (via wire or check). The June 2016 announcement's statistics, when compared to the BEC announcement released in August 2015, shows a marked increase across the board and offers a fair warning that this cybercrime variant shows no signs of abating:
|August 2015 PSA||June 2016 PSA|
|$1.2 billionÂ in identified exposed losses between October 2013 and August 2015||Nearly $3.1 billionÂ in identified exposed losses between October 2013 and May 2016|
|BEC scams reported in allÂ 50 U.S. states and 79 countries||BEC scams reported in allÂ 50 U.S. states and 100 countries|
|8,179 domestic and international victims between October 2013 and August 2015||15,668 domestic and international victims between October 2013 and May 2016|
|Fraudulent transfers sent toÂ 72 countries||Fraudulent transfers sent toÂ 79 countries|
How to Fight BEC Attacks?
Wombat Security notes that, in general, BEC attacks are phishing attacks; as such, “everyday” anti–phishing best practices will help protect organizations against these and other email–based social engineering scams. But because of the costly damages associated with business email compromise and the heightened sophistication level of many of these attacks, Wombat advises organizations that regularly perform wire transfers to take advanced precautions like the following:
- Emphasize the risk to key personnel — Individuals who hold the keys to the kingdom should absolutely be toldâ¦and told againâ¦and told again about the realities and increasing prevalence of BEC attacks. No organization is immune.
- Implement a multilevel approval chain for all fund transfers — More than one person should be involved in approving a fund transfer; more eyes on a request means more opportunities to identify fraud. At minimum, executives should agree to a voice–to–voice confirmation of a transfer request (email isn't enough of a stop gap, Wombat advises). As well, employees should be instructed to call any outside requestor at a trusted number to obtain voice–to–voice confirmation.
- Immediately question any transfer that routes to Asia — Though the FBI's statistics state that fraudulent payments have been sent to 100 countries, the PSA also states that the “majority [are sent] to Asian banks located within China and Hong Kong.” Even if — or perhaps especially if — an organization regularly transfers funds to banks in these countries, all requests should be double (or triple) checked for legitimacy.
- Train at all levels — Some organizations excuse certain portions of their employee base from cybersecurity training — but Wombat cautions that this is a dangerous game to play. As they've noted in the past, cybercriminals eagerly attack managers, executives, and employees who have access to valuable data and systems. And social media outlets, especially those focusing on professional business networks have made it easier than ever for social engineers to develop strategic attacks. Knowledge is power, Wombat notes, and it could be all that stands between an organization and a multi–million–dollar loss.
Wombat's approach to security awareness training helps improve knowledge retention and drive lasting behavior change. Explore their portfolio of interactive training options, including their new Security Essentials for Executives module. They help deliver actionable cybersecurity education to employees at all organizational levels.