Online fraud schemes are becoming the norm. This troubling trend affects inboxes on a daily basis with malware that clones email accounts, or tracking botnets that illegally wire funds to fraudulent bank accounts. These scams are most frequently carried out by compromising user emails at a company that regularly makes wire transfers. Many of these victims’ computers have been infected with complex malware and ransomware software.
Email scams are becoming much more sophisticated because hackers are now using software that can infiltrate the basic network security systems that are commonly used by organizations. What is particularly alarming about business email compromise techniques is that they do not directly infiltrate user financial accounts, but they convince users to allow hackers access to them.
How email fraud scams work
The most common method cyberthieves use involves targeting organizations that use open source email, deploying spoof email addresses that are identical to a company’s URL, and using fraudulent e-mail requests for wire transfers that are sophisticated to the point of not arousing the suspicions of the targeted employees, who usually are responsible for company wire transfers.
From there, all it takes is for one employee to open an attachment and hackers can gain access to that person’s inbox, or these cyberattackers can use dummy domain names to send emails to other employees to lure them into opening the message. This is where the more sophisticated aspect of business email compromises come into play, because the hackers are not looking to spread a company-wide virus or network infiltration, they simply use the malware to gain an understanding of the organization’s relationships, activities, purchasing plans and various other funding-specific functions. Hackers also use the malware to learn whether the company uses wire transferring by searching for keywords in their email network systems such as “invoice” and “deposit.”
Versions of the fraud scams
There are several versions of these fraud scams that are capable of attacking organizations of any size, from a small business to the federal government’s Office of Personnel Management, which had 5.6 million fingerprints of employees stolen through an email scam, according to the Washington Post. While larger organizations usually have stricter cybersecurity functions, they may also be easier for hackers to study and analyze prior to an attack with a variety of sophisticated strategies, such as:
1. Spoofed email addresses
Hackers use a spoofed email address from a company that has a long-standing relationship with another business. The hacker then makes a request to the employee of that business responsible for fund transfers to send payment for an invoice to a fraudulent account. The email’s request, as well as all correspondences, will appear legitimate.
2. Hacked executives
Hackers compromise the email account of an executive by using a spoofed or hacked email address from a credible employee, then request a wire transfer. This is similar to the previous approach, except that it involves an executive directly sending funds to a bank account.
3. Targeted employee emails
Hacking into an employee’s e-mail account is simple in that once it is compromised, hackers can send wire transfer requests to vendors of the business. These funds can then be sent to a fraudulent account or a bank.
What businesses can do to protect themselves
As these cyberattacks become more varied, expansive and sophisticated, it is vital that businesses understand how to mitigate risks. In an FBI report cited by Dark Reading, there are several recommendations for firewalling against email fraud, most notable was to develop intrusion detection systems that flag similar – but slightly different – URLs in the email addresses. The example the FBI provided was to flag an email with abc-company.com, versus a legitimate abc_company.com. The FBI also suggested implementing the following steps:
1. Multi-faceted email authentication
Organizations can increase security by setting up multiple steps in their email authentication processes. For example, biometric authentication (e.g., fingerprint scanning) can be used to verify the identities of individuals requesting and receiving wire transfer funds.
2. Verified business transactions
Companies should establish verifications for significant business transactions. According to a Bank Info Security interview with JohnLaCour, CEO ofPhishLabs, organizations need to implement cybersecurity measures for monetary transactions, with fraud controls beyond simple email security functions.
“Balances should be checked daily, wire transfers must require two parties to be authorized, and e-mail messages from executives requesting fund transfers should always be followed up with a telephone call,” LaCour explained.
3. Reduced sharing of company information
An important, but less obvious, step for businesses is to restrict published information about company and employee activities through its websites, social media platforms and other online outlets. Posting inside information on the Internet not only makes it easier for hackers to learn more about the inner workings of a company, but it allows them to know which employees to target within an organization.
All organizations need cybersecurity protocols and anti-virus programs, but it is also necessary to provide education on tech security best practices for all employees. It only takes one error to put an entire company at risk.
