The dependence of corporate organizations on emails to conduct official activities has made it one of the areas attackers focus on. Almost all organizations deal with using email to approve and communicate official information, including financial approval and other details.
According to an FBI report, there were at least 40,000 incidents of business email compromise or other related incidents, an increase of around 2,370% since January 2015. The FBI reported at least 3,044 victims in the United States, with a loss of around $346 million in the second half of 2016.
In the case of a Business Email Compromise, an attacker sends an email with the inscription that it comes from a trusted source making a legitimate request based on either information gathered between the organizations.
Attackers who perpetrate such an attack rely heavily on information gathering as discussed in our cybersecurity guide. They find information about the company on some mode of operations, titles, and search juicy details on employers. Most times, attackers try gaining access to the executives' members email or those who have the power to request financial transactions.
Another method is setting up an email address with a spoofed domain. In such a case, an attacker creates a similar email address in other to lure an unsuspected individual and impersonate in the process. Here's a good example; instead of email@example.com, an attacker can use firstname.lastname@example.org. Another example is email@example.com instead of firstname.lastname@example.org. The slight changes of “i” to ‘l‘ in cloudiafrica.com and the difference in the position of ‘i‘ and ‘e‘ in believe.com is enough to cause significant damages to unsuspected victims.
How to Identify Compromised Emails in a Business Environment
Business Email Compromise has been one of the most common attacks in recent time. It has become evident that firewalls and other security gadgets alone can't be enough. Users must have vital knowledge of detecting such email attacks and reducing the number of victims.
Before you conclude that an email address is genuine, check the address and NOT the name of the sender. Kindly note that email@example.com is not the same as myname.@xyz.com. Is it the same with previous emails sent from the same person or organization? Are there any changes? If yes, kindly take extra caution and confirm with another means if the information is from the person or organization before processing it. Before clicking a link in an email:
- Check if the address is correct.
- Verify the site address normally without using the redirect button on the link.
Actions to Take by Organizations
Phishing is a common method used by attackers. It cannot be eradicated, but organizations should be able to do the following in defending against its attack:
a. Security Awareness for All Users
Most times, organizations focus on the IT department when it comes to training users on security. That is not a wrong approach, but the report has shown that attackers target those with little IT knowledge in organizations. It is now imperative for organizations to at least create Security awareness program for those who are doing non-IT-related work.
b. Multi-Factor Authentication System
Multi-layer security is also another method to defend against the email compromise. This technique helps prevent unauthorized access of email, especially from a different location that is not within the office premises.
c. Other Verification Methods
Before a specific transaction is conducted, especially an urgent request to make transactions, there should be another method of verification either through a phone conversation or manual in a case where such is possible. Delayed transactions are better than lost transactions so organizations should allow the option of extra verification when it comes to transaction of funds.
The best security measure available for protecting against email compromise is User Security Education. Organizations should understand that security education should not be for those in tech alone. It is for everyone and not the Security or IT personnel alone.
Be responsible, protect yourself, protect your organization.