The FBI has issued an official warning of a new scam the hackers are using, and it’s costing business big bucks. According to the FBI, BEC (Business Email Compromise) has already cost the business community more than three billion dollars, and that figure grows by the day. In fact, just last year, the FBI estimated that total losses were barely above the one-billion-dollar mark, so clearly, the scam is catching on and gaining momentum.
Unlike other scams, this one is decidedly low-tech, and compared to some of the other threats we’ve seen, not terribly sophisticated. That is, in fact, what makes it so dangerous. The key mechanism here is pure social engineering. The hackers study a given business’ typical workflow, and insert themselves into it, spoofing the email address of a CEO, or other high ranking corporate official, and requesting a wire transfer. Wanting to make a good impression on “the boss,” most employees who get this kind of email obey without question, and therein lies the problem.
Some experts have suggested that corporate email users immediately adopt two-factor authentication for email logins, but these experts miss a key point in the attack’s structure. The hackers aren’t hacking into email accounts, and because they aren’t, two-factor authentication (while a good idea in theory) won’t actually prevent these types of attacks. A better solution then, would be to put in place domain authentication routines, which would be able to ferret out spoofed emails and differentiate them from actual corporate email accounts. Even this is not a perfect solution, but it would go a long way toward solving the problem.
At the end of the day, however, what it comes down to is better employee training. If your employees are made aware of these types of attacks and the risks they pose, then they’ll be much more likely to use some non-computer type of verification (a phone call to the boss, for instance, to be sure that he or she was the one who actually requested the transfer). Social engineering scams are harder to beat than traditional hacks, but that doesn’t mean they’re impossible to prevent.