Employees send and receive dozens of emails every day and, although the majority are innocuous, buried among them, there are more and more fake emails that can damage companies in a myriad of ways. This is one of the findings of the report, 2018 Email Fraud Landscape, which has uncovered an alarming figure: 6.4 billion fraudulent emails are sent every day. If we also take into account the fact that, according to Cofense, 91% of all cyberattacks start with a phishing email, there can be no doubt that email is the highest risk attack vector for companies. Similarly, 81% of heads of corporate IT security have detected an increase in the number of cases of attacks getting in through this channel. But what are the most dangerous phishing scams, and how can we avoid them?
BEC: a costly scam
As we have previously explained on this blog a BEC (Business Email Compromise) scam is a type of phishing attack where cyberattackers pass themselves off as a client or supplier in order to try to get money. One distinctive feature of this type of email fraud is that around 60% of the emails involved in BEC scams don’t contain a link, making it harder for cybersecurity systems to detect them. At times, they make use of something as simple as writing an account number in order for the recipient to make a transfer.
Another aspect that makes it stand out from most phishing attacks is that, rather than being based on indiscriminate mass emailing, BEC scams usually seek very specific individual profiles. Following this pattern, there is an even more sophisticated version of the BEC scam, known as the “CEO fraud”. In this case, as the name suggests, the cyberattacker passes himself off as the head of the whole company. To do so, attackers employ spear phishing techniques; that is, they research the company and the employee, looking for news, and profiles on social networks in order to read up on the victim and make the email as believable as possible.
For all these reasons, this type of scam is especially dangerous and costly for companies: according to FBI figures, they have cost businesses over 12 billion dollars since 2013.
How can you avoid the risks of the most dangerous phishing attacks?
Finding vulnerabilities and security breaches is a complex task for cyberattackers who have their eye on companies: a lot of the time they come across firewalls or security systems that require an advanced level of skill to get through. This is why it is much easier for them to rely on deceit, and it is also the reason that phishing attacks are so common. BEC scams add a sense of urgency and authority to this kind of fraudulent activities, especially if they use a version of the CEO fraud, since nobody wants to put themselves in a compromising position in front of the boss. Cybercriminals know how to take advantage of this, which is what makes them so dangerous. For this reason, the first thing to bear in mind in order to avoid attacks is common sense and calm must prevail in order to avoid making a false step.
In this vein, here are some key recommendations to help avoid email attacks on your company:
- Carrying out phishing drills so that employees can learn to identify them.
- Detection of social engineering with the aim of getting employees to ask themselves questions before responding to an email.
- Encrypting emails to keep sensitive information from being stolen.
Practices like this are also valid for BEC scams, but they are not enough. Since it is such a personalized type of phishing, it’s advisable to verify in any way possible the source of the email. To do so, there’s no better way than to teach employees not to rely exclusively on email. It is better that they check the content of the email with the workmate they suspect is being impersonated, or with the CEO, whether it’s on the phone or face to face.
Finally, as can be said of most cybersecurity problems, the risks related to being attacked over email can be avoided with a combination of human and technological factors: common sense and employee training in order to acquire experience and prevent and detect attacks, along with the use of advanced cybersecurity platforms that have the capacity to warn of any dangers that we may have overlooked.