Historically, individuals have been the target of hackers rather than large companies or businesses. But this is beginning to change with the number of organizations worldwide falling victim to major cyber attacks dramatically rising. Hackers are now infiltrating businesses of all sizes – and not just through traditional system hacks, but through social engineering.

One of the latest threats duping enterprises out of millions is business email compromise (BEC), also known as CEO fraud. BEC attacks are carried out by compromising or impersonating official business email accounts of c-suite executives, typically the CEO or CFO.

The hacker imitating the executive urgently requests an employee, often within the accounts department, to conduct an unauthorised wire transaction to a specific recipient, usually to pay a fake invoice.
Typically the money is sent to accounts in Asia or Africa before the company realises it has been duped. The message and hijacked email account appears legitimate to the individual who, without realising, places their organization at huge risk.

BEC in action

An example of a BEC attack in action is the Belgian bank Crelan, which lost $75.8 million to a BEC scammer. Fortunately, with its notable reserves Crelan survived the attack, but for smaller enterprises, the result could be catastrophic. Another example is The Scoular Company, an employee-owned commodities trader in North America. In this case the fraudster pretending to be the CEO told the Controller in a confidential email that Scoular was in the process of acquiring a Chinese company. The Controller was instructed to liaise with a lawyer at KPMG and to wire $17.2 million to an offshore account in China, which he did not question.

Pinpointing the target

Within the above enterprise examples, the criminal behind the attack has clearly researched the management structure and pinpointed which employee is the best target.
Sophisticated BEC attackers will typically research travel schedules of executives or mergers and acquisitions to reference in their emails. These hackers are also ultimately taking advantage of employees’ willingness to be helpful, especially when requested to act by a c-suite executive of the company.
HR departments are also commonly targeted to gain unfettered access to the victim’s credentials. Snapchat is the latest victim of this method after the hacker posed as the CEO and requested payroll information, which may then place the company’s employees at risk of identity theft. While employees are a company’s biggest asset, they are unfortunately usually the weakest link when it comes to security. For organizations today, the only way to efficiently protect against attacks such as this is to arm employees with the know-how to avoid these compromises.

Educating employees

Education, supported by repeated reinforcement, is the most effective method of protecting companies against BEC scams and similar attacks.There is a frightening lack of public awareness around the prevalence of these scams, meaning CEOs, CIOs and CISOs should educate employees on what an attack entails. Employees who are aware of the threat and are encouraged and even empowered to scrutinise emails will have the confidence to decline or at least double check what they perceive as an illicit request. A security-aware culture is essential. Related to this is the threat of accessing public Wi-Fi hotspots on work devices. BEC attacks rely on the hacker having context with which to make the request seem legitimate. These include email addresses and formats, names, travel details, internal processes – all of which can be readily gleaned through man-in-the-middle attacks on public Wi-Fi. Public Wi-Fi hotspots are not typically encrypted, meaning that with the right tools, skilled hackers can intercept sensitive information on a device and use it to target that company. Understanding the danger of transmitting sensitive data “in the clear” reduces the opportunity for a hacker to intercept revealing information or to eavesdrop on online conversations. As well as education, companies should also invest in sophisticated mobile security for both the network and the device, to protect against data loss in the event of a man-in-the-middle attack. Employees are at the heart of every day-to-day process but are also the weakest links in cyber security. Ensuring that they are up to speed with current security issues is crucial to avoiding falling victim.