How to Stop the Costliest Internet Scam –

According to Steve Flynn, Director of Sales and Marketing, ESET South Africa, it is high time for organizations to get a handle on the business email compromise scams that caused more casualties for victims in 2021 than any other type of cybercrime. .

While ransomware, hacking, API hijacks and all other cybersecurity threats make the headlines, it’s worth remembering that the costliest internet scam is still business email compromise, according to the latest FBI report on Internet crime.

Among the complaints received by the FBI in 2021, ransomware, business email compromise (BEC) schemes, and criminal use of cryptocurrency are among the top incidents reported. Technology-based systems are under attack and costing organizations around the world billions of dollars in lost funds.

The FBIs Internet Crime Report for 2021 corresponds to what we see in South Africa; Business email compromises remain one of the most concerning threat vectors because the weakest link isn’t something that can be easily fixed because it’s a human.

The old adage that people are the weakest link in security is especially true when it comes to email threats.

Here, cybercriminals can generate arguably their biggest “return on investment” by using social engineering tactics on their targets and persuading them to follow instructions.

Despite considerable efforts by employee organizations and financial institutions to educate customers and staff on what to avoid, many still fall victim to it, unknowingly giving access to cybercriminals. Phishing is the most obvious example of these efforts.

The specific type of cybercrime exploiting phishing messages is the compromise of business emails and it has been the most profitable criminal activity in recent years.

The Last FBI Internet Crime Report reveals that once again in 2021, these scams have generated more losses for victims than any other type of cybercrime.

It’s time for organizations to master email compromise and develop a layered defensive approach to mitigate the risk of losing large sums of money to faceless fraudsters.

The report reveals that while only 19,954 BEC complaints were received last year – far behind the top complaints of phishing (324,000), non-payment/non-delivery (82,000) and personal data breach ( 52,000) – the loss of $2.4 bn via BEC is of far greater value than any of the most reported crimes on the list.

Although this means it may seem as problematic as other types of fraud because the number of cases is lower, it is the type of fraud that costs businesses the most – an increase of 82% compared to 2020 and close. one-third of all cybercrimes. losses in 2021.

How does the BEC work?

At a simple level, BEC is a type of social engineering. Members of finance teams are typically targeted by those they believe to be a senior executive or CEO who wants an urgent money transfer to occur, or potentially a vendor who demands payment.

As implausible as it may seem, these scams sometimes still work, because the victim is usually forced to act, without having time to think about the consequences of their actions – classic social engineering. Sometimes fraudulent invoices with updated bank details are enough.

It only needs to work occasionally to make it worth a fraudster’s trouble.

Because these attacks don’t use malware, they’re harder for businesses to spot. AI-powered email security solutions are getting better at detecting suspicious behavior patterns that can indicate when a sender may have been spoofed.

User awareness training and updated payment processes are therefore an essential part of the layered BEC defense.

What the future holds

The bad news for network advocates is that scammers continue to innovate. The FBI has warned that deepfake audio and video conferencing platforms are being used in concert to deceive organizations these days.

Deepfake audio has already been used to devastating effect in two notable instances. In one, a UK CEO was led to believe that his German boss had requested a cash transfer of €220,000. In another case, a bank manager in the United Arab Emirates was tricked into transferring US$35 million at the request of a “customer”.

This type of technology has been with us for quite some time. The worry is that it’s now cheap enough and realistic enough to fool even the eyes and ears of experts. The prospect of spoofed video conferencing sessions using not only deepfake audio but also video is a worrying prospect for CISOs and risk managers.

What can I do to fight BEC?

The FBI, security industry agencies, and companies like ESET do their best to disrupt BEC gangs where they operate. But given the huge potential profits on offer, arrests won’t deter cybercriminals, which is why prevention is always the best strategy.

Organizations should consider the following:

  • Invest in advanced email security which leverages AI to discern suspicious email patterns and sender writing styles
  • Update payment processes so that large EFT transfers must be signed by two employees
  • Check all payment requests again with the person allegedly making the request
  • Integrate the BEC into staff security awareness training like in phishing simulations
  • Keep up to date with the latest trends in the BEC and be sure to update training courses and defensive measures accordingly

Like all fraudsters, BEC actors will always look for low-hanging fruits. Organizations need to make themselves a harder target, which will hopefully lead opportunistic scammers to divert their attention elsewhere.

Harry D. Gonzalez