Story image

Business Email Compromise hacks cost enterprises $2.3 billion

13 Jun 2016

Compromised business emails have caused 17,642 enterprises worldwide to lose at least $2.3 billion, a new research paper titled 'Billion-Dollar Scams: The Numbers Behind Business Email Compromise ' from Trend Micro says.

The paper says that the statistics are straight from the FBI, and the number is still increasing. Victim counts increased 270% during the first eight months of 2015. The sheer size of these attacks prompted the FBI into action through a public service announcement, educating enterprises about the dangers.

The paper says that business email compromise (BEC) schemes work through sophisticated channels between businesses and foreign partners that provide wire transfer payments. Business executives' emails are hacked and spoofed, instructing employees to send large wire transfers to foreign accounts.

The paper says that BEC attacks are socially-engineered, which makes them difficult to detect due to how legitimate the emails appear. While the USA is the greatest target with 274, Australia also has been targeted by 94 schemes.

Trend Micro says BEC scams can take three forms:

The bogus invoice scheme

Businesses who work with a foreign supplier are contacted by fraudsters, asked to change payment location or to a fraudulent payment account.

CEO fraud

Scammers spoof business executives' accounts, create an email to an employee requesting an urgent wire transfer to the fake account. The most spoofed executive positions are CEO (31%), president (17%), managing director (15%) and 'others' constituting 20%.

Account compromise

An employee's account is hacked and emails are sent from the account to vendors on the contact lists, requesting payments to fraudulent accounts. How to prevent BCE attempts

The report encourages businesses to educate executives and employees about how BEC scams operate. The scams are simple, and can be easily thwarted by employees.

  • Be wary of all emails
  • Verify wire requests if they seem overly high or differ from most transactions
  • Raise employee awareness about BCE methods
  • Use secondary sign-off for changes in vendor payment locations
  • Use two-factor authentication for payments. When using phone verification, use known phone numbers.
  • Report attempted and successful hacks or spoofs
  • Keep track of customer payments, including payment details
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.