BEC Scams Still Show No Signs of Slowing
Published: November 25, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
According to a recent report, the financial sums that cyber criminals are asking for following the use of business email compromise (BEC) scams has risen to an average of $80,000 per attack. The report of second quarter numbers in 2020, published by the Anti-Phishing Working Group (APWG), notes a significant increase from a previous average of $54,000 in the first quarter of 2020. The report is based on evidence from organizations from the cyber security industry, the government sector, and law enforcement agencies.
BEC scams usually begin with a phishing email attempt. Often, a message is sent to an employee in a company with the intent of tricking them into paying a fake invoice, sending money via wire transfer to a fraudulent account, or some other type of financial scheme. Specific information about employees is not difficult to find. Think about what is posted to social media, especially sites that are used for business networking. All it takes is for the bad actor to peruse those pages and all kinds of information is available to create incredibly detailed phishing email messages.
BEC attacks are common and show no signs of slowing down. It’s important that organizations put cyber security at the top of their priority list. Putting perimeter defenses in place to catch as much spam and malicious activity is the first step. Employees and contractors, and really anyone using the network, are the weakest links in the cyber security chain. That’s because email messages can easily be spoofed--made to look like they come from a known sender, such as a vendor or fellow employee, but really are not. They sometimes can also bypass those perimeter tools.
That’s why ongoing training on how to identify phishing messages and attempts, how to spot domain jacking and URL spoofing, as well as the latest malware making its rounds, should be high on any organization’s cyber security agenda. Don’t stop at a “one and done” approach to cyber security training. It should be ongoing throughout the year and ideally include phishing simulation and other types of “tests.”
It’s also worth considering purchasing a domain assurance product to make sure your organization’s reputation stays the way you want it. Criminals now buy up domains that appear to be like other, legitimate organizations in the hope that users will make typos or not pay attention. They will make websites that look identical or so similar to the original that it’s difficult to tell it’s fake.
Take a look at the options and choose what’s best for your organization. Also, remind people to be conservative about the information posted on social media. The less that’s available to the public, the better for your organization.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org