For decades, the cybersecurity industry has poured resources into understanding the people behind cyber-attacks – their tactics and their motives.
While it’s vital that we understand who is attacking us, it’s just as, if not more vital that we also understand who is being attacked.
Increasingly, cybercriminals are focusing their efforts on individuals within organisations rather than launching blanket system attacks. The methods may differ – phishing, spoofing, malware – but the result is all-too-often the same: substantial losses.
According to the latest Gartner forecast, cybersecurity is one of the major risks affecting MENA businesses and individuals currently. Additionally, most attacks commonly exploit weaknesses through mechanisms, including socially engineered malware, phishing attacks, unpatched/insecure software, social media attacks, and the regular advanced persistent threats.
One such style of attack is business email compromise (BEC). Dubbed the most expensive problem facing cybersecurity, the spoofing and commandeering of company email is estimated by the FBI to have resulted in worldwide losses of $26 billion since 2016.
Attacks of this nature are particularly pernicious as, when convincing enough, they can get behind even the best security defences incredibly quickly.
To stand a chance of keeping them at bay, it’s vital that employees at every level of your organisation know what they are up against and how best to defend against it.
Understanding the attackers
Organisations face two common types of BEC. In its simplest form, an attacker spoofs the identity of a corporate email account to convince the email recipient to divert funds to a fraudulent bank account.
Typically, the spoofed email will be that of someone in authority such as the company’s CFO, the accounts department of a supplier or a trusted third-party such as a corporate lawyer.
In the more menacing version, the attacker gains access to a legitimate email account and uses it to defraud an organisation. This approach is potentially far more damaging as it offers access to a trove of inside information that can be used to make a fraudulent request seem much more convincing.
One of the most common variants of BEC scams is bogus invoicing. Here an attacker spoofs or commandeers the email address of a supplier or company CEO to request a change in payment details. If the email address is legitimately compromised, the invoice in question may well be genuine, increasing the likelihood of a successful attack.
Attackers adopt a number of tactics to successfully socially engineer employees into handing over substantial sums of money. There are significant regional differences in terms of employee behaviour as Proofpoint’s 2019 Human Factor Report illustrates that the Middle Eastern and European users are more likely to click at midday, after lunch and into the late evening.
Furthermore, Proofpoint’s recent research on prolific threat actor TA505 shows that tens of thousands of emails attempting to deliver Microsoft Excel attachments with English and Greek lures have targeted financial institutions in countries around the world including the United Arab Emirates.
Another approach gaining in popularity, up 50 percent year-on-year, is ‘Fake Forwarding’. As well as including Re: or Fwd: in a subject line, this method of attack usually includes a bogus email chain to increase the air of legitimacy.
Then there’s the tactic of using privileged information to gain trust. This could be gleaned from the email of a compromised account or by scouring publicly available information.
Understanding the attacked
Unfortunately, scams of this nature are becoming increasingly commonplace. Last year saw a 58 percent increase in BEC attacks and we expect that trend to continue.
The more prevalent and sophisticated such attacks become, the better every member of your team needs to be at spotting them.
The key to this is creating a security-conscious culture throughout every level and function of your organisation.
Today, we are seeing a correlation between job role and exposure to attack in the opposite direction. The lower level the employee, the more likely they are to experience an attack, from executive through upper and lower management and down to individual contributors.
The art of defending in depth
A seemingly legitimate request from a seemingly genuine account is incredibly hard to defend against. Organisations must embrace a defence in depth approach. This includes ensuring your employees are using unique and hard to crack passwords and making use of two-factor authentication wherever possible. Additionally, training is crucial and should be regular and comprehensive, offering localised content into different languages considering the diverse cultural background of the workforce especially in countries such as the United Arab Emirates.
Finally, put policies in place regarding certain requests and ensure that everyone in your organisation understands that email is not a trustworthy method of communication. In short, any interaction that has a monetary consequence should not take place solely via email.