Improve Cyber Hygiene to Prevent Business Email Compromises
More than 90 percent of cyberattacks begin with a phish, in which attackers send a message to one or more targets hoping to steal personal information, access credentials, or install spyware on the target’s network. RANE spoke with experts Tim Murphy, President of Thomson Reuters Special Services, and Jason Thomas, Chief of Innovation for Thomson Reuters Special Services, to discuss how companies can build more resilient strategies to mitigate the threats that business email compromises (BECs) and social engineering attacks pose.
- Murphy and Thomas argue that the private sector – particularly the financial sector – is better suited than either the government, or even the tech community, to lead the way toward improved tools to stop cyber intruders and fraudsters.
- Unlike technology sector companies that provide modern operating systems, the financial sector’s access to data and the imperative from being heavily regulated have caused the industry to be at the forefront of developing tools and methods to ensure efficiency, security, and compliance in day-to-day operations.
BEC attacks are becoming increasingly common and sophisticated. The FBI found that during the time period of December 2016 to May 2018, there was a 136 percent spike in scam losses related to email compromises worldwide. Attackers often perform social engineering using intelligence gained via open-source and social media research, or gleaned from a phishing attack, to appear more convincing to their target audiences.
- Attackers who gain access to company networks or email accounts via phishing often study the company’s behavior to learn which employees typically request money, how invoices are handled, what dollar amounts to request to avoid triggering red flags, and what outstanding balances are due.
Building resilience against phishing attacks will not entirely eliminate the possibility of BEC attacks but can decrease their effectiveness and improve a company’s overall cyber hygiene. Murphy and Thomas believe that security professionals should focus less on stopping cyberattacks and more on keeping attackers from successfully exfiltrating data. Because phishing exploits human error, no amount of security will completely prevent breaches.
- Thomas notes that, while there is no one guaranteed method to stop a clever phishing attack, employee training is vital. Cybersecurity training that includes short, 5-10 minute, videos tend to resonate with employees more than typical, longer information security presentations do.
- Murphy suggests that attackers increasingly launch phishing campaigns using domain names that closely resemble legitimate ones. RANE Expert David Lavinder of Morphick recommends purchasing domain names that are variations of your organization’s name so that attackers cannot use them; for example, purchase domains that substitute “L” for “I” or “0” for “O.”
- The company’s information security team should create security rules that automatically flag email addresses with extensions similar to the company’s email address convention. Murphy suggests employing services that can block email accounts that were created within a certain time span, as the more recent the account was formed (within a week or day of outreach), the likelier it is to be a phishing attempt.
- RANE experts recommend that companies consider tech solutions like endpoint protection (mobile fingerprints, mobile push notifications, one-time password tokens, etc.) and other identity controls such as privileged session monitoring for systems containing sensitive or confidential information.
- Thomas notes that the Defense Advanced Research Projects Agency (DARPA) is currently working on a project that aims to use bot-mediated communications to create a system that identifies, disrupts, and investigates spear-phishing and social engineering attacks, though there is no timetable for completion.
Companies should understand that fraudulent wire transfer requests can be nearly indistinguishable from legitimate requests and that human error makes it difficult to prevent them entirely. Consider implementing authentication policies and employee training to ensure that wire transfer requests are legitimate.
- Company policy should require employees to perform basic checks on wire transfer requests, including ensuring that all requests are associated with an actual purchase order and looking for details common to fraudulent requests such as slight changes to familiar URLs, email addresses, or account numbers.
- All employees should be trained in company policy pertaining to incoming and outgoing payments. This training is particularly important for employees commonly involved in transfers, including the CEO and the accounting department.