The silent killer: the threat costing more than ransomware
By John Karabin, director of cybersecurity at NTT Ltd Australia
Friday, 22 July, 2022
When I ask what you think the biggest cyberthreat to businesses is, you may think of ransomware attacks. Channel Nine, Microsoft, Colonial Pipeline, UnitingCare, JBS — this is what makes the headlines. It’s hard to ignore when 80% of Australian organisations were hit with ransomware in 2021, up from 45% in 2020. However, when all eyes are on ransomware, there is a bigger threat that may be weaving its way into your everyday operations, which could be going unnoticed.
That bigger threat is business email compromise (BEC). The severity of BEC is easy to overlook if you just focus on media headlines, but in the 12 months prior to July 2021, BEC cost Australians over $81 million — with the increase in average financial losses per BEC report up 54%. These attacks are becoming more prevalent, with the ACSC receiving over 4600 BEC reports in 2021 compared to 500 ransomware cybercrime reports. The state of Victoria has already reported 233 BEC attacks, with payments made by 152 victims who have paid a total of over $9 million in the first half of this year.
BEC is a scam in which an attacker poses as someone the victim would trust — a customer, boss, business, or authoritative figure — for the purposes of stealing something (usually money). The sender uses a spoofed account to trick the victim into wiring a sum of money to the criminal, conning the victim into believing that they may be paying something as ordinary as a phone bill.
Common methods of BEC can include employee impersonation whereby a corporate account will be compromised so the cybercriminal can impersonate a co-worker, perhaps someone in a position of power such as a CEO. Cybercriminals may also impersonate companies organising orders to retrieve goods under the guise of a domain name that is strikingly similar to a well-known and reputable company.
False invoice schemes are another method of BEC, in which cybercriminals gain access to legitimate invoices and edit the contact and bank details to send back to the victim of the compromised account. The victim will pay the invoice under the impression that they are paying the vendor, but the funds are actually being diverted to the attacker.
Why humans could be the weakest link in a company’s security strategy
Historically, BEC is not as technical as ransomware and relies on social engineering, ie, using psychological manipulation with malicious intent for financial gain. However, both ransomware and BEC seek to exploit human error and it’s important that the focus is shifted to adopt strategies that undermine the BEC business model.
Manipulation in this way can have serious consequences. In September 2020, Australian hedge fund company Levitas Capital was forced to shut down after suffering a cyber attack. Investigators found that the attack was initiated after one of the founders clicked on a fake Zoom invitation, triggering a malicious software program to plant itself on the company’s network. This helped the cybercriminals infiltrate the corporate email system and send fraudulent invoices, leading the trustee and administrator to mistakenly approve $8.7 million in transfers.
The human error issue affects organisations across the board. The latest Office of the Australian Information Commissioner (OAIC) recently identified a significant increase in data breaches caused by human error, from 31% to 41%, driven by a number of factors, including a lack of awareness on the right course of action, particularly in today’s hybrid workforce where individuals are continually introduced to new ways of working with technology. Another factor could include a weak security culture where people do know what the right thing to do is, but will opt for the easier option or don’t think they’re likely to get scammed.
How to thwart potential threats
There are ways to systematically reduce room for error and minimise the potential opportunities a cybercriminal has to infiltrate a network with BEC. For example, implement multi-factor authentication, which adds an extra line of defence to devices and accounts, ensuring users provide a sufficient amount of verification before accessing sensitive data. Additionally, invest in software that can help detect spoofed accounts and malicious behaviour.
Adopting a security-first culture can also help align your security goals with your employees and strengthen them as a line of defence to reduce risk. When people are armed with knowledge and awareness, it could mean the difference between falling victim or saving someone from financial losses. In fact, a NAB employee blocked an attempted BEC scam and saved her organisation $6 million in doing so.
Cyber attacks come in many forms and it is nothing but beneficial to be aware of the different forms they come in. Although ransomware is a major threat to businesses, it’s important to note that headlines can project prominence but don’t necessarily equate to prevalence. The success of a cybercriminal rides on the attack going unnoticed and BEC is a fantastic method that falls off the radar of many. Any and every attack is serious but you need to remain prepared and vigilant, especially for the ones that can slip through the cracks of your network.
The need for mental health support within the cybersecurity profession has been evident for quite...
Collaborating with industry stakeholders to devise a ransomware reporting obligation is a key...
With the ever-increasing speed and sophistication of cyber attacks, we need speed, scale and...