FEATURE
Let ’ s talk email risks – how much of a problem are BEC and EAC attacks ?
Today ’ s threat landscape is fundamentally characterised by social engineering . We ’ ve seen an almost 100 % shift to criminals targeting individuals , socially engineering people to do something , whether that ’ s click on a link , download an attachment , enable macros to install malware or just sending a simple text email , pretending to be people in positions of authority and getting people to wire money or send data directly to the criminals .
Business Email Compromise ( BEC ) attacks have been dubbed one of cybersecurity ’ s most expensive threats .
In 2019 , AIG , a cyber insurance company , stated that BEC overtook ransomware in terms of cyber insurance claims across the EMEA region , while in the US , the FBI stated that between June 2016 and July 2019 , there were losses of more than US $ 26 billion to BEC and EAC attacks .
What do these types of attacks entail ?
BEC attacks are pure social engineering – there ’ s nothing to sandbox , no payload to analyse , no URL to click through . Typically , it ’ s an email that is pure text , coming from someone that we trust , either an executive or a supplier or someone we ’ ve done business with before . And it ’ s fundamentally trying to trick someone into
Adenike Cosgrove , Director of Cybersecurity Strategy for International at Proofpoint sending money or data . We see five key examples of BEC attacks :
1 . Gift carding . In this scenario , a criminal poses as an executive or supervisor with authority requesting assistance to purchase a gift card for staff or clients . The executive asks for serial numbers so they can email them out right away , and are delivered straight to the criminal .
2 . Payroll redirect . Criminals pretend to be executives and send an email to the HR department requesting to change or update direct deposit
Business Email Compromise ( BEC ) attacks have been dubbed one of cybersecurity ’ s most expensive threats .
information from a legitimate employee bank account to the fraudster ’ s account or a pre-paid card account . The future salary will be paid directly into the criminal ’ s bank account .
3 . Supplier invoicing . Here , criminals impersonate a legitimate vendor your company regularly does business with , and send an invoice . They claim to have new bank details which future invoices should be paid into . But again , that money is being sent directly to the cybercriminal .
4 . Mergers and acquisitions . Someone typically junior in finance receives an email from the CEO or the CFO stating there is an urgent acquisition and that the money is needed immediately so the acquisition can be closed .
5 . Shipping re-directs . Criminals send a phishing email to somebody within the organisation claiming to be a supplier whose shipping address has changed . But instead of sending it to your business partner or your customer , this results in goods being www . intelligentciso . com | Issue 31
37