With employees now an organization ’ s new perimeter , savvy cybercriminals have shifted their focus to social engineering attacks such as Business Email Compromise and Email Account Compromise – with businesses facing huge financial losses as a result . Adenike Cosgrove ,
Director of Cybersecurity Strategy for International at Proofpoint , tells us how organizations can use technology and training in tandem to prevent these types of attacks , enabling a true people-centric security model .
lLet ’ s talk email risks – how much of a
problem are BEC and EAC attacks ?
Today ’ s threat landscape is fundamentally characterised by social engineering . We ’ ve see an almost 100 % shift to criminals targeting individuals , socially engineering people to do something , whether that ’ s click on a link , download an attachment , enable macros to install malware or just sending a simple text email , pretending to be people in positions of authority and getting people to wire money or send data directly to the criminals . Business Email Compromise ( BEC ) attacks have been dubbed one of cybersecurity ’ s most expensive threats . In 2019 , AIG , a cyber insurance company , stated that BEC overtook ransomware in terms of cyber insurance claims across the EMEA region , while in the US , the FBI stated that between June 2016 and July 2019 , there were losses of more than
US $ 26 billion to BEC and Email Attack Compromise ( EAC ) attacks .
Can you talk us through what these types of attacks entail ?
BEC attacks are pure social engineering – there ’ s nothing to sandbox , no payload to analyze , no URL to click through . Typically , it ’ s an email that is pure text , coming from someone that we trust , either an executive or a supplier or someone we ’ ve done business with before . And it ’ s fundamentally trying to trick someone into sending money or data . We see five key examples of BEC attacks :
1 . Gift carding . In this scenario , a criminal poses as an executive or supervisor with authority requesting assistance to purchase a gift card for staff or clients . The executive asks for serial numbers so they can email them out right away and are delivered straight to the criminal .
2 . Payroll re-direct . Criminals pretend to be executives and send an email to the HR department requesting to change or update direct deposit information from a legitimate employee bank account to the fraudster ’ s account or a prepaid card account . The future salary will be paid directly into the criminal ’ s bank account .
3 . Supplier invoicing . Here , criminals impersonate a legitimate vendor your company regularly does business with and send an invoice . They claim to have new bank details which future invoices should be paid into . But again , that money is being sent directly to the cybercriminal .
4 . Mergers and acquisitions . Someone typically junior in finance receives an email from the CEO or the CFO stating there is an urgent acquisition and that the money is needed immediately so the acquisition can be closed .
5 . Shipping re-directs . Criminals send a phishing email to somebody within the organization claiming to be a supplier whose shipping address has
People as the new perimeter :
Preventing social engineering attacks
40 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com