PHISHING
BUSINESS EMAIL COMPROMISE ( BEC ):
A SCAM WHEREBY THE ATTACKER EITHER IMPERSONATES OR TAKES OVER AN EXECUTIVE ’ S EMAIL ACCOUNT IN ORDER TO MANIPULATE COMPANY EMPLOYEES , VENDORS , OR CLIENTS .
BY : BILL PECK , BUSINESS RISK ADVISOR , GENERAL INSURANCE SERVICES sensitive company information . The most elaborate attacks , however , trick victims into voluntarily transferring huge sums of company money to accounts controlled by the scammers . There are three primary BEC tactics : phishing through email impersonation , phishing through email spoofing , and phishing through email account takeover .
PHISHING THROUGH EMAIL IMPERSONATION
A simple email impersonation begins with some social engineering and a few easily acquired tools . For example , fake email accounts are established that closely mimic the company ’ s established conventions , so be wary of lookalike domains : for instance , john @ abccompany . com becomes john @ abcompany . com . From here , the attacker will commonly pose as a senior executive , directing unsuspecting subordinates to carry out the scam , leveraging the power that the real executive holds over them . Variations include , but are certainly not limited to , the following :
• Impersonating vendors or suppliers with phony requests for invoices for goods provided or work performed
• Impersonating an attorney or financial advisor with an important matter
• Reaching out to clients with “ updated ” account numbers for payments
• “ Payroll diversion ” scams where requests are made to an HR Department to change the bank account where an impersonated employee ’ s payroll is to be deposited
PHISHING THROUGH EMAIL SPOOFING
In an email spoof attack , the spoofer has forged an email header in order to trick the recipient into thinking that the email originated from a legitimate source . This works because many email protocols lack built-in authentication of an email ’ s origin . The goal with spoofing is the same as phishing : to trick the recipient into giving up personal information like credit card numbers or passwords , or — worst case — inducing the victim to click on a link which downloads and installs malware on their computer .
PHISHING THROUGH EMAIL ACCOUNT TAKEOVER ( EAC )
The Email Account Takeover is the most sophisticated form of BEC attack . Unlike the scams described above where email messages appear to come from a trusted source , in this scenario , the company ’ s network has suffered a breach , allowing the attacker to take over the actual email account of specific company personnel . Often , cybercriminals will spend time simply observing a breached company ’ s email traffic in order to understand its day-to-day rhythms as well as to mimic the language used by the eventual target . For example , the attacker may wait for a company executive to leave for vacation before emailing a subordinate with an urgent request to transfer money to a “ new ” bank account ( controlled by the attacker ). The Email Account Takeover scenario is the most dangerous as the attacker can “ live ” within the network for an extended period .
FIGHTING BACK
As infuriating as it is that scammers prey upon and manipulate well-meaning , hardworking employees , this is the unfortunate reality . It is essential that basic cybersecurity training is provided at all levels of the organization . Real world examples need to be provided in order to help team members distinguish a phishing email from a legitimate one , and tools such as KnowB4 can be helpful . A cybersecurity assessment is a great way to proactively identify any network vulnerabilities .
Lastly , it is important for business owners to understand that insurance , whether a crime or cyber liability policy , may not help in a BEC event .
Many crime policies have wording that typically does not cover losses from “ voluntary parting ” of property or funds to a third party . So if an employee was tricked into wiring funds to a scammer , coverage is nullified . Furthermore , a Computer Fraud extension will not apply because no “ unauthorized instructions ” were entered into a computer system to electronically manipulate the transaction .
Coverage will generally be available under a Cyber Liability policy only if the network was breached or compromised . So if a fraudulent email leads to a “ successful ” phishing expedition , coverage may not apply . This is why it is important to have a conversation with your advisor to make certain that your coverage protects against phishing and / or BEC attacks . +
Bill was raised in Michigan City . After graduating from Miami University with a BS in Finance , he began a career in banking , working for institutions in South Bend and Chicago . He subsequently received an MBA in Marketing from DePaul University and held positions in the management consulting and financial technology industries . He and his wife , Tami , reside in Chesterton with their two teenaged sons . In his free time , Bill enjoys running , golf , and spending time with his family .
7