By Jeff Goreski, Vice President of Digital Forensics and Incident Response
Business Email Compromise (BEC) scams are an increasingly common phenomenon wherein unsuspecting employees receive realistic but falsified email requests to complete seemingly innocuous tasks such as making a phone call or completing a wire transfer.
While BEC scams originated in this simple format, we’re seeing them evolve into multi-tiered techniques, such as phishing an initial target with a request that appears to be coming from an upper management member and then voice phishing (vishing) a follow up phone call to verify the transaction has been accomplished. Another example could be the impersonation of vendor emails requesting a payment account be updated in the corporate system. There was even a recent impersonation incident where a senior executive received a convincing WhatsApp message from what appeared to be the company’s CEO! BEC type scams are increasingly just one in a series of techniques which are targeted against organizations today.
The internal threat is also ever-present. 64% of cyber incidents involve an inside bad actor. It is now quite easy for a normal internal user, without elevated rights, to connect on the dark web and sell your credentials for bitcoin. Most groups will offer small amounts up front; however, if the scam is successful, they will also pay additional bitcoin to the inside bad actor.
Most organizations put trust and funding into technology, but as 77% of all cyber incidents that we investigate globally will attest, the root cause was a failure to allocate enough oversight, awareness training or “shock and awe” to employees.
When bad actor groups target someone, they will usually begin with a reconnaissance mission to evaluate and attempt to establish which arrows in the quiver are best suited for a specific target organization. These probes usually include script and technology induced methods as well as social and web searches to obtain customer, vendor, leadership and other commonly displayed information which can be effectively used on various campaigns.
This means that upper level executives are no longer the preferred target; mid-level team members that are usually the least targeted for bad actor techniques are quickly becoming the go-to point of least resistance.
What can we do about it? The Benjamin Franklin axiom that “an ounce of prevention is worth a pound of cure” is as true today as it was when Franklin made the quote.The best way to reduce the risk of a successful BEC campaign is to ensure that members of the organization are trained, reminded and semi-annually tested on identifying the things that make your Spockian eyebrow go up! In over 90% of all the incidents we investigate globally, after the root cause was identified and presented to the user of patient zero, the response is always, “Why didn’t I see it then? It was so obvious.”
CBI has been providing Cyber Readiness Assessment training and Penetration Testing for more than 20 years, and the defensible level of prevention testing can provide organizations the edge they need to mitigate and deter bad actor campaigns. Remember, successful campaigns are just as promoted and advertised on the dark web as the unsuccessful ones. Which list does your organization want to be on?