If you were asked about the biggest cybersecurity threats faced by business, what first springs to mind?
Maybe it’s relentless ransomware attacks, with cyber criminals encrypting networks and demanding vast sums for a decryption key – even from hospitals. Or maybe it’s a sneaky malware attack which lets hackers hide inside the network for months on end, stealing everything from usernames and passwords to bank details.
Both of these would be on the list, for sure.These are awful attacks to experience and can cause terrible damage. But there’s another much simpler form of cyber crime which makes scammers the most money by far – and doesn’t get much attention.
But the scale of business email compromise (BEC) attacks is clear: according to the FBI, the combined total lost to BEC attacks is $43 billion and counting, with attacks reported in at least 177 countries.
What makes BEC such a rich opportunity for scammers is there’s rarely a need to be a highly skilled hacker. All someone really needs is a laptop, an internet connection, a bit of patience – and some nefarious intent.
At the most basic level, all scammers need to do is find out who the boss of a company is and set up a spoofed, fake email address. From here, they send a send a request to an employee saying they need a financial transaction to be carried out quickly – and quietly.
SEE: The next big security threat is staring us in the face. Tackling it is going to be tough
It’s a very basic social engineering attack, but often, it works. An employee keen to do as their boss demands could be quick to approve the transfer, which could be tens of thousands of dollars or more – particularly if they think they’ll be chastised for delaying an important transaction.
In more advanced cases, the attackers will break into the email of a colleague, your boss or a client and use their actual email address to request a transfer. Not only are staff of course more inclined to believe something that really does come from the account of someone they know, scammers can watch inboxes, wait for a real financial transaction to be requested, then send an email from the hacked account which contains their own bank details.
By the time the victim realises something is wrong, the scammers have made off with the money and are long gone.
What’s most challenging about BEC attacks is that while it’s a cyber crime based around abusing technology, there’s actually very little which can technology or software can do to help stop attacks because it’s fundamentally a human issue.
Anti-virus and a good email spam filter can prevent emails containing malicious links or malware from arriving in your inbox. But if a legitimate hacked account is being used to send out requests to victims just using messages in emails, that’s a problem – because as far as the software is concerned, there’s nothing nefarious to detect, it’s just another email from your boss or your colleague.
And the money isn’t stolen by clicking a link or using malware to drain an account – it’s transferred by the victim, to an account they’ve been told is legitimate. No wonder it’s so hard for people to realise they’re making a mistake.
See: Brazen crooks are now posing as cybersecurity companies to trick you into installing malware
But victim blaming isn’t the answer and isn’t going to help – if anything, it will make the problem worse.
What’s important in the battle against BEC attacks is ensuring that people understand what these attacks are and to have processes in place which can prevent money being transferred.
It should be explained that it’s very unlikely that your boss will email you out the blue asking for a very urgent transfer to be made with no questions asked. And if you do have concerns, ask a colleague – or even talk to your boss to ask if the request is legitimate or not. It might seem counter-intuitive, but it’s better to be safe than sorry.
Businesses should also have procedures in place around financial transactions, particularly large one. Should a single employee be able to authorise a business transaction valued at tens of thousands of dollars? Probably not.
Businesses should ensure multiple people have to approve the process – yes, it might mean transferring finances takes a little longer, but it helps ensure that money isn’t being sent to scammers and cyber criminals. That business deal can wait a few more minutes.
Technology can help to a certain extent but the reality is these attacks exploit human nature.
ZDNET’S MONDAY OPENER
ZDNet’s Monday Opener is our opening take on the week in tech, written by members of our editorial team.