Story image

Business Email Compromise hacks cost enterprises $2.3 billion

13 Jun 16

Compromised business emails have caused 17,642 enterprises worldwide to lose at least $2.3 billion, a new research paper titled 'Billion-Dollar Scams: The Numbers Behind Business Email Compromise ' from Trend Micro says.

The paper says that the statistics are straight from the FBI, and the number is still increasing. Victim counts increased 270% during the first eight months of 2015. The sheer size of these attacks prompted the FBI into action through a public service announcement, educating enterprises about the dangers.

The paper says that business email compromise (BEC) schemes work through sophisticated channels between businesses and foreign partners that provide wire transfer payments. Business executives' emails are hacked and spoofed, instructing employees to send large wire transfers to foreign accounts.

The paper says that BEC attacks are socially-engineered, which makes them difficult to detect due to how legitimate the emails appear. While the USA is the greatest target with 274, Australia also has been targeted by 94 schemes.

Trend Micro says BEC scams can take three forms:

The bogus invoice scheme

Businesses who work with a foreign supplier are contacted by fraudsters, asked to change payment location or to a fraudulent payment account.

CEO fraud

Scammers spoof business executives' accounts, create an email to an employee requesting an urgent wire transfer to the fake account. The most spoofed executive positions are CEO (31%), president (17%), managing director (15%) and 'others' constituting 20%.

Account compromise

An employee's account is hacked and emails are sent from the account to vendors on the contact lists, requesting payments to fraudulent accounts.

How to prevent BCE attempts

The report encourages businesses to educate executives and employees about how BEC scams operate. The scams are simple, and can be easily thwarted by employees.

  • Be wary of all emails
  • Verify wire requests if they seem overly high or differ from most transactions
  • Raise employee awareness about BCE methods
  • Use secondary sign-off for changes in vendor payment locations
  • Use two-factor authentication for payments. When using phone verification, use known phone numbers.
  • Report attempted and successful hacks or spoofs
  • Keep track of customer payments, including payment details
Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.