For as long as the internet has been a primary mode of doing business, cyber criminals have used phishing scams to steal money and information from consumers and businesses. But recently, cyber thieves have innovated new variations on traditional phishing scams such as ransomware and business email compromise.
What is phishing?
Phishing scams occur when criminals pose as a legitimate person or organization to trick people into surrendering money or sensitive information such as passwords or account information. An example of a traditional phishing scam is an email sent by thieves to a consumer that warns that his bank account has been compromised. The thieves provide a link in the email that directs the consumer to a fraudulent website that resembles that of their bank. The consumer then enters sensitive account information, which hackers may use to access accounts or might sell to identity thieves.
In recent months, several high profile cases involving ransomware have emerged, including several attacks on hospitals. Ransomware is a type of malware that locks a business out of its own system by encrypting the company’s data. Once an institution’s access to its system is inhibited, hackers demand large sums of money from the victim before returning the controls. One hospital held out for three weeks as its people tried to find a work-around for their systems, but they were eventually forced to pay thieves $17,000 worth of hard-to-trace bitcoin—the currency of the Dark Web.
Ransomware is often delivered via phishing emails. By some estimates, over 90% of phishing emails now contain some type of ransomware. One of the reasons these types of attacks work is that employees are tricked into clicking on phishing emails, allowing criminals access to their targeted network. Phishing emails remain an effective way for hackers to access networks because they have learned to label the emails in ways that seem relevant to the interests or usual activity of the user.
Business Email Compromise
Another type of email-based cyber-attack that is becoming more frequent is known as the Business Email Compromise, or B.E.C. In this type of scam, a chief financial officer or other personnel who deal in a business’s finances receive an email from a fake CEO asking for a large amount of money to be transferred. Once this amount has been transferred, the scammer will often ask for an even larger transfer. The FBI warns that such attacks are on the rise and estimates that companies lost $2.3 billion in B.E.C. scams from October 2013 to February 2016, with over 17,000 victims.
The emails criminals send to initiate such attacks are often very specific. The thieves are aware of the identity of the CEO and CFO and the types of emails that are typically sent regarding financial transactions. Email addresses used by hackers for B.E.C. are similar to those of the actual CEO/CFO. They look like the real email address but use a different domain or are off by a single character. These strategies make their fraud harder to detect.
Four steps to good cyber hygiene
These two forms of cyberattacks demonstrate that cyber thieves are only becoming more sophisticated and cunning. How can your company defend against these attacks?
1. Principle of least privilege
Use best practices for giving employees access to systems. Employees should have access only to data and networks they absolutely need to do their job – and never more than that. Adhering to this practice can limit the scope of damage from a ransomware attack.
2. Employee awareness
Teach employees to be cautious when responding to emails. Train them to recognize non-standard requests for financial transfers or information. They should check email addresses to make sure they are real before replying. Employees should also verify the identity of the sender of a suspicious email by calling them using a known contact number rather than a number supplied in the email.
3. Multi-factor authentication
Have multiple steps in place for anyone requesting financial transactions. In other words, businesses should have several means at their disposal for verifying the identity of anyone requesting fund transfers, such as email addresses, login codes sent via text message, or phone calls. Most banks have already implemented this practice by requiring phone calls or lag times before money transfers cleared.
Work with your information and technology personnel to see what training and controls are in place to protect the business. Because so much depends on the security of business and customer data, it is so important to make cybersecurity a priority in strategic planning and to work with trusted experts at the forefront of the field to assess and make changes to ensure that you are protected.
While news reports of phishing scams are scary, taking steps to prevent email compromise is absolutely essential in our current technology climate. These four steps are critical to prevent hackers from compromising your business data and financial security.
Umesh Verma is the award-winning CEO and driving force behind Blue Lance, the global provider of cybersecurity governance solutions. For more than 25 years, Blue Lance’s automated software solutions have been protecting digitally managed corporate assets by assessing, remediating, and monitoring security of information systems. Call Blue Lance at 1-800-856-2586 for your 25-point credentials assessment, or get social with us on LinkedIn, Facebook, or Twitter.