Social engineering and phishing scams come in many different forms, infinite forms really as attackers are constantly coming up with new ways to trick victims. One flavor of attack has become increasingly popular because it is so effective: Business Email Compromise (BEC). In 2015 alone, BEC attacks cost companies over $1.2 Billion. A BEC attacks all have these phases:
1. Obtain access to a high-ranking individual's email account.
This can be done a few different ways; basically all an attacker needs is the username and password combination for that individual's account. The most common way to get this is through a phishing scam targed at that individual. The attacker will send a phishing email to the person, get them to click on a link and enter in their credentials or release malware on their machine. Phishing emails are surprisingly successful for attackers: 23% of recipients will open emails and 11% will actually click on a link. At this point it is just like fishing (yes, pun intended) - send enough emails out and you are bound to get a bite.
Targets are often management or C-level executives who deal with money or have the ability to make financial decisions or requests.
2. Misuse of obtained email account.
Once an attacker has access to the individuals email account, the posibilities are endless. They now have the ability to send and receive emails as that individual. The most common way BEC attacks handle this step is to make financial requests as that person. For example, CEO fruad is highly common: the attacker may pretend to be the CEO in order to send emails to the finance team to request that they wire money to a specific account, as with the case of AFGlobal.
How to protect your company from BEC scams
User education! These types of attacks all involve human error. It doesn't matter how secure your systems are, if your people are either willing to give out credentials or aren't thinking twice before fulfilling unusual requests, the attackers will be able to get whatever they need. Every business, regardless of size, needs to have an education and awareness program in place. You should be holding, at minimum, annual company-wide awareness training sessions, running an annual Personnel Security Awareness (PSA) test, and regularly communicating with your staff about security. See more about how Kalki structures our own Education & Awareness programs for more information.