Historically, individuals have been the target of hackers rather than large companies or businesses. But this is beginning to change with the number of organizations worldwide falling victim to major cyber attacks dramatically rising. Hackers are now infiltrating businesses of all sizes – and not just through traditional system hacks, but through social engineering.
One of the latest threats duping enterprises out of millions is business email compromise (BEC), also known as CEO fraud. BEC attacks are carried out by compromising or impersonating official business email accounts of c-suite executives, typically the CEO or CFO.
The hacker imitating the executive urgently requests an employee, often within the accounts department, to conduct an unauthorised wire transaction to a specific recipient, usually to pay a fake invoice.Typically the money is sent to accounts in Asia or Africa before the company realises it has been duped. The message and hijacked email account appears legitimate to the individual who, without realising, places their organization at huge risk.
BEC in action
An example of a BEC attack in action is the Belgian bank Crelan, which lost $75.8 million to a BEC scammer. Fortunately, with its notable reserves Crelan survived the attack, but for smaller enterprises, the result could be catastrophic. Another example is The Scoular Company, an employee-owned commodities trader in North America. In this case the fraudster pretending to be the CEO told the Controller in a confidential email that Scoular was in the process of acquiring a Chinese company. The Controller was instructed to liaise with a lawyer at KPMG and to wire $17.2 million to an offshore account in China, which he did not question.Pinpointing the target
Within the above enterprise examples, the criminal behind the attack has clearly researched the management structure and pinpointed which employee is the best target.Sophisticated BEC attackers will typically research travel schedules of executives or mergers and acquisitions to reference in their emails. These hackers are also ultimately taking advantage of employees’ willingness to be helpful, especially when requested to act by a c-suite executive of the company.HR departments are also commonly targeted to gain unfettered access to the victim’s credentials. Snapchat is the latest victim of this method after the hacker posed as the CEO and requested payroll information, which may then place the company’s employees at risk of identity theft. While employees are a company’s biggest asset, they are unfortunately usually the weakest link when it comes to security. For organizations today, the only way to efficiently protect against attacks such as this is to arm employees with the know-how to avoid these compromises.