A recent research report carried out by Signal Alliance, a technology solution company, has revealed how organisations could save huge financial losses through the latest and innovative email protection.
According to the security report, many business organisations and public institutions are currently faced with the challenges of their corporation email being compromised. This, according to the report, to a large extent, has brought loss of businesses and embarrassment to organisations.
The report described Business e-mail compromise (BEC), as a situation when an attacker hacks into a corporate e-mail account and impersonates the real owner to defraud the company, its customers, partners, and/or employees. Once the attack is successfully launched, it compromises the entire email address system and issues new command that compels the system to send money or sensitive data to the attackerâ€™s account.
BEC is also known as a ‘man-in-the-email’ attack. This is derived from the ‘man-in-the-middle’ attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication, the report further said.
According to the report, in 2016, there were at least 40,000 incidents of business e-mail compromise or other incidents that involved e-mails, which is an increase of about 23.7 per cent since January 2015. In the second half of 2016 alone, the FBI reported more than 3,044 victims in the United States, with a combined loss of about $346 million.
Most of the victims were told to send money to an Asian bank, usually in Hong Kong or China, or a bank in the United Kingdom.
Describing how the virus attack works, the Technical Security Consultant at Signal Alliance, Victor Ugwu, said BEC scam starts with research. An attacker will sift through publicly available information about a company from its website, press releases, and even social media posts. He/she might look for the names and official titles of the company executives, the corporate hierarchy, and even travel plans from email auto-replies.
The attacker will then try to gain access to an executive’s e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the email owner will not be alerted.
Another trick, according to Ugwu, is to create an e-mail with a spoofed domain. For example, the attacker might use firstname.lastname@example.org instead of email@example.com.
If close attention is not paid, it is easy to get deceived by the slight difference. One of the most famous spoofed domain tricks ever was the â€œPayPa1.comâ€, a scam site imitating money transfer website of Paypal.com.
Some of the most prevalent examples of BEC scams according to the report, are the fraudulent invoice scam, the fake boss scam, and the fake attorney scam, which occurs when a lawyer’s e-mail address is used to contact clients, asking that they pay money immediately to keep things confidential.
The report said BEC happens for three main reasons, namely Insufficient security protocols; Social engineering; and Lack of employee awareness. The report however gave some insights on how to prevent financial losses through email scam, to include Multi-factor authentication, which should be implemented as an Information Technology (IT) security policy; and Employee education.
The multi-factor authentication will help prevent unauthorised access to e-mails, especially if an attacker attempts to login from a new location. In addition to stronger security protocols, employee education is also important. Employees should be trained on identifying fraudulent e-mails. Always be skeptical of urgent and rush money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person, the report said.
Signal Alliance is a technology company that offers a robust and adaptive email security solution on-premise and in the cloud. Beyond email security, they also provide cybersecurity solutions ranging from Perimeter Security, Infrastructure Security, Cloud, Mobile Security and Managed Security Service.