Find out how cybercriminals hijack entire corporations to their benefit.
Good cybersecurity is about mitigating some risks while taking on others. It could mean choosing to risk getting yelled at by your boss instead of simply doing whatever you’re told. Nobody likes angering their employer. Cybercriminals know that and have used that fact to defraud companies of millions.
In today’s hyper-connected social environment, there is public data available on almost everyone – chief executives included. Enterprising cybercriminals are using this information to impersonate executives and trick businesses into making phony payments to offshore accounts. This attack method usually takes the form of a business email compromise (BEC). BEC scams are becoming frustratingly commonplace, earning cybercriminals billions of dollars every year.
Preventing this type of scam is critical to establishing a solid cybersecurity defence. It requires a highly organised approach to executive protocols.
How Do BEC Scams Work?
While many business leaders and IT professionals worry about safeguarding their systems from technical exploits, cybercriminals have begun to look at less demanding ways to siphon funds from legitimate enterprises.
The BEC scam, also called CEO fraud, works because of its simplicity. Instead of directly attacking an organisation’s IT system, cybercriminals impersonate top executives and use their authority to send illicit payments to hidden offshore accounts. The attack often because ground-level finance employees are unwilling to contradict their superiors. When an urgent email comes in, chastising an employee for not making a million-dollar payment to some client’s account, picking up a phone and calling the angry executive to verify the payment is the last thing on that employee’s mind.
Once the payment is made, it is often exceedingly difficult to track or recover. The ruse is only discovered well after the fact when the company discovers that the executive in question had no idea a payment was ordered. Only 4% of CEO fraud payment funds are ever recovered.
How to Prevent CEO Fraud
While large enterprises make obvious targets for CEO fraud, this attack happens to small and mid-sized businesses as well. It is relatively easy to trick a small business into paying a phony invoice, especially if the business itself is not well-organised.
There are several key security processes that small businesses and enterprise-level organisations need to implement to secure themselves against BEC attacks:
Identify High-Risk Positions. Anyone who wields institutional authority in an organisation is a risk. Finance, accounting, human resources, and C-suite positions are all popular targets because other employees rarely speak up when ordered to act by them.
Cultivate Security Culture. Annoying the CEO is worth protecting millions of dollars. Empower your employees to pick up the phone and verify urgent payments and other suspicious activities.
Enact a Cybersecurity Policy. Your company’s cybersecurity policy must cover the latest security risks and offer guidance on how to address those risks. This includes everything from dealing with potential phishing attacks to deploying two-factor authentication for financial processes.
Ultimately, there is no way to predict and protect against every single security threat. Organisations that put enough barriers between attackers and their goals can only hope to dissuade cybercriminals from exposing themselves while implementing policies that minimise risk.
For more information on how SMB Solutions can help protect you from ransomware and cybercrime, get in touch with the SMB Solutions team today.
Analytics Cookies (Google Analytics)
These allow us to measure and improve performance, understand how visitors interact with our site, and ensure we're meeting your needs.
Third-Party Cookies (YouTube Embeds)