The Evolution of Cyber Attacks: Business Email Compromise is King

Email is one of the most pervasive forms of communication for the business community. While many have predicted its downfall, this format is very much alive and a vital lifeline for millions of organizations. Just listen to the marketing professionals promoting the success of email campaigns over social media − it works better than any other option, plain and simple.

Neither businesses nor individuals are likely to step away from their inboxes any time soon. Of course, as with everything, email has its pitfalls – namely, business compromise attacks, so it’s more important than ever to have a reliable email filtering service in place.

Most are familiar with the Nigerian Prince scam that was so outlandish no one thought anyone could take it seriously. In the early days, phishers were much easier to detect. 

However, in the 1990s, attackers started focusing on AOL users, sending messages appearing to be from one of the online company’s employees. Over time the scammers got more creative with more engaging subject lines and impersonating familiar contacts or organizations. In 2003, eBay and PayPal were among the dozens of websites spoofed to steal credit card details and other PII. 

It is no surprise that phishers continue to up their games each year. Today there are even more versions of these scams, including spear phishing, CEO fraud, Business Email Compromise, and many others.

While there remains a heavy emphasis on malware in the most current schemes, some of the biggest threats rely on simpler means. Hard to detect, targeted email fraud is the milk and honey for today’s scammers, and Business Email Compromise (BEC) is quickly becoming their go-to option.

The Easiest Way is Often the Most Lucrative

The latest threat takes a simple approach. Rather than developing a malware strain or orchestrating a complex attack, all a cybercriminal has to do is impersonate someone else (often a coworker, supervisor, or partner) in an email or utilize a previously compromised account.

Most attackers ask victims to transfer large sums of money. While that approach sounds simple enough, the consequences of these methods can be devastating. The average request from BEC-based attacks rose from $48,000 in the third quarter of 2020 to $75,000 by the end of the year (just three months)!

With the profit potential ever-increasing, more scammers realize how much easier it is to ask for money than to get an unsuspecting person to click on a ransomware-laded attachment or link. All they need is a lead-generation campaign to identify great target candidates. The fact that this scam is so easy to pull off makes it all the more dangerous for businesses with scores of unsuspecting employees. Even the least skilled cybercriminal can make thousands by getting an unsuspecting worker to make a wire transfer to an untrackable account.

Expanded Opportunities

Like many aspects of business security, email attacks have also been affected by the pandemic. Attackers don’t live under rocks. They understand the opportunities that come from everything going on globally and will use those activities to build rapport and trust with their social engineering targets. Cybercriminals continue to use COVID-related topics to catch their attention and play on current fears.

Scammers also add urgency to the equation. They trick employees into thinking they need to act immediately to prevent punishment or avoid negative consequences. The fear of being fired for making a mistake or being audited by the IRS. The more it plays on their serious and real concerns, the easier it will be to dupe a naïve employee.

Why not ask a colleague or security expert about the legitimacy of a suspect email? Sometimes workers don’t know their options. For example, Cosmic Lynx impersonates law firms, attempting to trick users into believing their correspondence must remain confidential. Hackers typically have a great understanding of security processes and leverage secure infrastructure or email gateways to elevate these attacks’ legitimacy factors. 

Leave No Stone Unturned

The threats that enter your clients’ mailboxes can appear to be quite daunting. With attacks coming from all sides, it is easy to get caught up in detecting and preventing the ‘big problems,’ including the latest ransomware attacks.

While addressing those threats is essential, being prepared for the small phish is just as important. The risks are everywhere. 

Software will not solve every problem, either. The best defense often comes from educating end-users on what to expect and what to report. If your clients’ employees can learn anything, it should be to absolutely, under no circumstances, transfer funds without double-checking with people in the know! Not taking that essential step could be the costliest mistake they ever make.