An urgent email from the boss likely would make most employees sit up and take notice. This could be an opportunity to step up and deliver results that advance their career, or it could be the chance to explain a major mistake, so the person truly responsible is held accountable. An urgent email from the boss could be about any number of things — but most employees would never think about the possibility that it’s a key step in a well-designed scam that could cost the company millions of dollars.
Many who spend time online are familiar with the concept of “phishing” scams, which entail cybercriminals using legit-looking emails to con people into providing their passwords or other sensitive data. But not nearly enough people are aware that these schemes just as easily can affect businesses. Known as business email compromise (BEC) scams, these crimes work in much the same way as phishing. Through hacking or deception, criminals gain access to corporate email accounts. Posing as high-ranking company officials, these criminals then send out emails seeming to authorize the transfer of money for business purposes. In reality, they’re tricking employees into stealing corporate funds for them, and the losses can be catastrophic. The FBI estimates that over a more than two-year period, more than $960 million was lost due to BEC scams. These scams can strike any size business in any sector at any time. All it takes is a single slip-up by someone in the company to provide the opportunity these fraudsters need.
Although the threat of BEC may come as dire news for your business, there are some simple steps management and IT professionals can take to avoid being victimized by these scams. For example, there should be some form of two-factor authentication required to authorize the transfer of funds. An email requesting the transfer of funds should always be accompanied by another form of verification — whether that’s a verified text message, a PIN or a security question. Regular training for all financial professionals in the company is another important weapon in the fight against these types of cybercrimes. Awareness can ensure that employees are always vigilant against common BEC tricks and tactics.
Although one seemingly minor mistake can be all it takes to expose a company to the risk of a BEC scam, the good news is that this risk can be minimized significantly. Follow the accompanying guide to preventing BEC scams, and any urgent emails that employees get from the boss will be alarming for less costly reasons.
Author bio:
Chris Cronin is a partner, principal consultant and ISO 27001 auditor for HALOCK Security Labs, a leading information security firm in Chicago. Cronin has more than 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. He is a frequent speaker and presenter at information security conferences and events.
Guest Post: Simple Ways To Prevent Multimillion-Dollar Losses From BEC
Posted in Commentary with tags HALOCK Security Labs on October 28, 2017 by itnerdAn urgent email from the boss likely would make most employees sit up and take notice. This could be an opportunity to step up and deliver results that advance their career, or it could be the chance to explain a major mistake, so the person truly responsible is held accountable. An urgent email from the boss could be about any number of things — but most employees would never think about the possibility that it’s a key step in a well-designed scam that could cost the company millions of dollars.
Many who spend time online are familiar with the concept of “phishing” scams, which entail cybercriminals using legit-looking emails to con people into providing their passwords or other sensitive data. But not nearly enough people are aware that these schemes just as easily can affect businesses. Known as business email compromise (BEC) scams, these crimes work in much the same way as phishing. Through hacking or deception, criminals gain access to corporate email accounts. Posing as high-ranking company officials, these criminals then send out emails seeming to authorize the transfer of money for business purposes. In reality, they’re tricking employees into stealing corporate funds for them, and the losses can be catastrophic. The FBI estimates that over a more than two-year period, more than $960 million was lost due to BEC scams. These scams can strike any size business in any sector at any time. All it takes is a single slip-up by someone in the company to provide the opportunity these fraudsters need.
Although the threat of BEC may come as dire news for your business, there are some simple steps management and IT professionals can take to avoid being victimized by these scams. For example, there should be some form of two-factor authentication required to authorize the transfer of funds. An email requesting the transfer of funds should always be accompanied by another form of verification — whether that’s a verified text message, a PIN or a security question. Regular training for all financial professionals in the company is another important weapon in the fight against these types of cybercrimes. Awareness can ensure that employees are always vigilant against common BEC tricks and tactics.
Although one seemingly minor mistake can be all it takes to expose a company to the risk of a BEC scam, the good news is that this risk can be minimized significantly. Follow the accompanying guide to preventing BEC scams, and any urgent emails that employees get from the boss will be alarming for less costly reasons.
Author bio:
Chris Cronin is a partner, principal consultant and ISO 27001 auditor for HALOCK Security Labs, a leading information security firm in Chicago. Cronin has more than 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. He is a frequent speaker and presenter at information security conferences and events.
Leave a comment »