Historically hackers have pursued and targeted individuals more frequently than they have targeted businesses as they are typically the path of least resistance. However, the number of organizations worldwide falling victim to major cyber attacks is dramatically rising. More and more, hackers are infiltrating businesses of all sizes — and not just through traditional system hacks, but now increasingly through social engineering.
Tricking people to access money or sensitive information on the Internet is by no means a new concept — these cleverly disguised emails were behind the infamous ‘Celebgate’ hacking case, which exposed nude photos of celebrities. Except now, fraudsters are doing their homework to perfect their technique.
The latest threat duping enterprises out of millions is Business Email Compromise (BEC), also known as “CEO Fraud”. BEC attacks are carried out by compromising or impersonating official business email accounts of C-suite executives, typically the CEO or CFO. The hacker imitating the executive urgently requests an employee, often within the accounts department, to conduct an unauthorized wire transaction to a specific recipient, usually to pay a fake invoice. Typically the money is sent to accounts in Asia or Africa before the company realizes it has been duped. The message and hijacked email account appears legitimate to the individual who, without realizing, places their organization at huge risk.
Pinpointing the target
Last year, Ubiquiti Network, an American technology company, lost $39.1 million as a consequence of a BEC scam. Impersonation and fraudulent requests were made to target the finance department, deceiving the department to send money to an outside entity. Fortunately, the company recovered $8.1 million from legal litigation and they’re working on recovering an additional $6.8 million, but the additional funds are subject to legal injunction. Regardless of funds recovered, the full amount lost will not be salvaged.
Another example is The Scoular Company, an employee-owned commodities trader in the United States. In this case the fraudster, pretending to be the CEO, told the Controller in a confidential email that Scoular was in the process of acquiring a Chinese company. The Controller was instructed to liaise with a lawyer at KPMG and wire $17.2 million to an offshore account in China, which he did without question.
One of the most outrageous examples of BEC is the central bank of Bangladesh which suffered recent fraud of $100 million. Funds were sent to Sri Lanka and The Philippines by the Federal Reserve of the United States, and the issue was only flagged when someone spotted a typo in one of the requests. Beyond the clear takeaway here that spelling is important, this scenario demonstrates just how expensive social engineering can be.
HR departments are also commonly targeted to gain unfettered access to the victim’s credentials. Snapchat is the latest victim of this method after the hacker posed as the CEO and requested payroll information, which may then place the company’s employees at risk of identity theft.
Within these examples, the criminal behind the attack has clearly researched the management structure and pinpointed which employee is the best target. Sophisticated BEC attackers will typically research travel schedules of executives or mergers and acquisitions to reference in their emails. These hackers are also ultimately taking advantage of employees’ willingness to be helpful, especially when requested to act by a C-suite executive of the company.
While employees are a company’s biggest asset, they are unfortunately usually the weakest link when it comes to security. For organizations today, the only way to efficiently protect against attacks such as this is to arm employees with the know-how to avoid these compromises.
Education and subsequent repeated reinforcement, is the most effective means of protecting companies against BEC scams and similar attacks. There is a frightening lack of public awareness around the prevalence of these scams, therefore CEOs, CIOs and CISOs should educate employees on what an attack entails. Employees who are aware of the threat and are encouraged and even empowered to scrutinize emails will have the confidence to decline or at least double check what they perceive as an illicit request. A security-aware culture is essential.
Related to this is the threat of accessing public Wi-Fi hotspots on work devices. BEC attacks rely on the hacker having context with which to make the request seem legitimate. These include email addresses and formats, names, travel details, internal processes — all of which can be readily gleaned through man-in-the-middle attacks on public Wi-Fi.
Public Wi-Fi hotspots are not typically encrypted, meaning that with the right tools, skilled hackers can intercept sensitive information on a connected device and use it to target that company. Understanding the danger of transmitting sensitive data “in the clear” reduces the opportunity for a hacker to intercept revealing information or to eavesdrop on online conversations. Similarly, companies and employees should also think carefully before posting information on social media, which could be used as context in this type of attack.
Employees are at the heart of every day-to-day process but are also the weakest links in cyber-security. Ensuring that they are up to speed with current security issues is crucial to avoiding falling victim. Responsibility needs to be taken within every company — whether by the CIO or the CISO — to put strategic, up-to-date training in place to minimize the chance of vital information falling into the hands of hackers.
Photo Credit: Lasse Kristensen/Shutterstock
Michael Covington leads Wandera’s Product team and is responsible for both defining the product vision and overseeing its delivery to delighted customers. Dr. Covington has over twenty years experience in security research and product development– with roles in academia and industry — including stints at Intel Labs, Cisco Security and Juniper Networks.