Email systems are the number one target of cybercriminals, and the situation is only getting worse. Attackers are finding new ways to infiltrate email accounts and use them as a platform for launching other types of attacks.
Credential-based attacks such as account takeover (ATO) and business e-mail compromise (BEC) attacks are becoming more prevalent. According to the FBI’s Internet Crime Complaint Center (IC3), the 41,058 BEC attacks reported from 2013 to 2018 cost U.S. firms $2.9 billion, and global losses were four times that amount. In 2017 alone, the cost of BEC attacks was more than $676 million.
For example, earlier this year, the Henderson, Texas school district was duped into transferring more than $600,000 in a BEC attack after hackers impersonated a legitimate school contractor.
ATO attacks involve theft of an email credential, which is then used to launch a targeted phishing campaign. If the attacker is able to steal the credentials of a key employee (like the owner or CEO), they can then launch a BEC attack that results in other employees transferring money or information.
Javelin Strategy & Research reported a three-fold increase in account takeover losses last year. ATO and BEC attacks have become more effective for hackers in terms of obtaining money or information they can sell, since the return they’re seeing on ransomware attacks is declining. These attacks are also very difficult to detect or protect against because they rely on psychological manipulation. According to a recent Barracuda report:
“About 60 percent of BEC attacks do not involve a link: the attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information. These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links.”
Password security, training, and technology are the best defenses
Once an email account is compromised, attackers can cause a significant amount of damage and business disruption. If a victim falls victim to BEC, they’re going to feel the pain first — and the most — but that pain can also end up being felt by their customer and their vendors. So, what can your clients do to protect themselves?
- Enforce secure password rules and make sure employees aren’t repeating the same passwords for multiple sites or applications. No employee is exempt from this rule; Last year, Facebook CEO Mark Zuckerberg had his Twitter and Pinterest accounts hacked after criminals obtained his LinkedIn password.
- Use multi-factor authentication and encryption to make it harder to compromise email accounts. After entering a password, the user will be prompted to verify themselves again by taking another action, such as entering a code that is emailed or texted to them.
- Train users to recognize potential phishing scams that can lead to ATO/BEC attacks, or that may be part of a BEC attack. They should be suspicious of short or generic messages from other employees, and double-check links and downloads. They should also never send sensitive information via email. Training should include phishing simulations, as well.
- Set up procedures for payments and wire transfers that require in-person conversations, phone calls, and other non-digital confirmation strategies.
Additionally, there are emerging technology solutions available that can validate email credentials and scan the Internet for sources of compromised passwords.
Take a proactive approach to protecting your customers
It’s critical to recognize these threats and respond to them proactively. At Barracuda, one way we’re doing that is with the launch of Barracuda Sentinel – a product that identifies and stops the types of spear phishing and cyber fraud attacks that can create opportunities for BEC attacks. Sentinel can automatically prevent account takeovers using artificial intelligence, and domain fraud visibility. If employees suddenly start sending blast e-mails to people they don’t frequently communicate with, for example, the solution can detect that behavior and then take some action (like deleting the potential phishing emails) before the problem spreads.
Businesses (regardless of size and market) are vulnerable to ATO and BEC attacks. It’s critical that service providers take steps now to help protect their customers’ networks from these sophisticated and increasingly successful types of cyber fraud.