social engineering

Business Email Compromise

Business Email CompromiseBusiness Email Compromise (BEC) Scams

A Business Email Compromise, or (BEC) for short, is a type of attack that targets company email. A hacker gains control of a business email and uses that access to request money or data.

The most recent data we have available from April to May shows a 200% rise in BEC scams, and the trend continues to go up. These types of hacking events are on the rise because they result in much higher amounts of money than a normal phishing attack. On average a BEC attack results in 100x greater profit to the criminal than a normal malware attack.

The FBI outlines five types of BEC attacks.

Invoice Scams: An invoice scam could originate with your company, or a vendor you work with. The criminal gains access to a professional email account and uses that access to send an invoice. Sometimes the invoice looks different than usual, but not always. Jack talks about an invoice scam we saw in the Miami Valley where the criminal simply changed the routing number, and let the business send the wire transfer as usual. Watch Jack’s video here.

Account Compromise: Criminals gain access to an executive’s email account and use the address book to request money from business contacts. Once criminals have access to executive email, they will watch traffic as well as read email history. Criminals can hang around in a compromised email for weeks looking for the best way to steal money.

CEO Fraud: Attackers pose as company CEO or other upper level executive, and email employees in the finance department instructing them to transfer funds to an outside account. This can be done by actually gaining access to a CEO’s email, or by using a spoofed email account. Many employees would be hesitant to question a request from the CEO.

Legal Impersonation: Criminals pose as a law firm representing the company with confidential information. This scam is done over the phone, or email, and will typically fall at the end of the workday or week. The criminals in this scam rely on urgency, and confidentiality.

Data Theft: This tactic normally targets Human Resources departments for confidential data instead of money. Criminals will pose as other members of the company and ask for employee information or database access.

All of these methods rely heavily on quality research, and targeted social engineering. These are not blanket phishing emails sent to thousands of email addresses. The criminals know exactly who they are impersonating. They gain access to a business email account through any number of tactics like password reuse, a separate phishing attack, malware, or missing security patches. Once they gain access, they read emails and form a plan for exploitation. Criminals can spend weeks inside the compromised email developing a method of best attack. This is a long, well researched process.

Employee education is the key to prevention, especially in Finance and HR departments. Open communication as well as quality IT Security is the best way to prevent these kinds of attacks. Employees should be encouraged to confirm requests for money, especially if they are out of the ordinary. The criminals first have to gain access to the business email in order to develop this kind of attack. A high quality layered security approach is the best defense against a criminal gaining access to a business email in the first place.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

 

Posted by Charles Wright in Recent Posts

Cyber Insurance Explained

Jack talks through the many aspects of Cyber Insurance, and why it’s a good idea to work with a professional when choosing a policy.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

Patch Management

Back to Basics with Patching and Updating

Microsoft released two patches this week outside of their normal monthly update. These two vulnerabilities opened Microsoft users to hackers and were serious enough that the company pushed the updates out of schedule. This is the kind of story that emphasizes one of the steps in our Q-Stack. You can read the whole story on the Microsoft patches Here. Today we’re going Back to Basics with Patching and Updating.

When we talk about patch management in the IT world, what we are really talking about are updates. Operating system and application developers both consistently release patches to correct errors or bugs found in software, or security updates when vulnerabilities are found. Hackers and software companies are in a continuous battle for the next vulnerability. The hacker finds a vulnerability they can exploit, the software developer sees this exploitation and releases a patch.

There are many aspects of patching to think about. Servers, operating systems, and software all have patches. Any of these three components could present a vulnerability a criminal could exploit. Many systems offer automatic updates, but these do not always cover all updates. It is best to have a professional manage you company’s updates for times like these when a patch comes out of schedule and there is a known vulnerability. Hackers are reading the IT news just like we are, so they know there’s a Microsoft vulnerability that could be open for a couple weeks.

Another factor to consider is end of life software. As machines and operating systems age, there is a point where developers stop supporting software. We covered this issue last year when Microsoft decided to continue to support Windows 7, but with limitations. Users had to pay for the support and it only lasted a year as a stopgap. At some point the software does not pass the ‘worth it’ factor for the company, and they decide to discontinue support. In a business setting, this is a problem you should see coming, and have a solution to well before the abandonment date.

Now that many companies have employees working from home, it’s an even more important time to focus on patches and updates. If employees are using a personal computer, this device is an unknown on the business network. Even if employees are only accessing email, and remote services, patching and updating is still a critical step to keeping that personal machine working. Educating users about the basics of IT security is always important, but now it’s even more critical as many employees are using person equipment to do their job.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization

Cyber Insurance Checklist

Today we are featuring a downloadable guide to make it easier to understand Cyber Insurance. This is a great starting point to understand the depth and complexity of Cyber Insurance, and the responsibility is places on the company.

<–Click on the image to view the PDF Checklist.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business