Trend Micro has reported that business email compromise (BEC) attacks are projected to exceed $9 billion in 2018. This is quite an increase when you consider that, less than a year ago, the FBI reported BEC attacks had become a $5.3 billion industry. Eyal Benishti, CEO and Founder at IRONSCALES commented below.
Eyal Benishti, CEO and Founder at IRONSCALES:
“Organisations must realise that employees are being targeted and falling victim to a BEC (business email compromise) attacks as cybercriminals are employing increasingly sophisticated methods to spoof senders and trick employees into performing the criminals bidding. However, many businesses are still not thinking about how they can make their processes resilient in the face of abuse and fraud.
“BEC attacks are proving lucrative and increasingly successful and there are no malicious attachments to strip, no links to analyse. It’s pure social engineering via email trying to redirect large sums of money.
“The problem is these spoofed messages are evading detection to arrive into employees’ inboxes. Raising employee awareness to phishing indicators so fewer are duped to fall for the scam in the first instance is a solid foundation, but alone is not enough. While training might help some to spot badly created communications, with attackers honing their craft it’s not always easy to determine fact from fiction. In addition, no matter how hard you train people, no one is perfect 100% of the time and expecting them to never fall victim is unfair, especially as these communications typically use emotive language that manipulates the user to act quickly which could mean they are pressured into acting first then thinking later.
“Instead organisations need to accept the risk exists and afford employees with tools that will help them identify and therefore not fall for these false communications. Anti-impersonation technology and sender reputation scoring that can monitor communication habits, at the mailbox level, to build a picture of what a user and sender’s normal communications look like. Having established this baseline, anything that detracts is automatically identified and visually flagged as a malicious impersonation attempt. This sounds a warning bell to the user which might make the difference between them questioning the messages intention or blindly transferring large sums of cash to criminals.”