Business Email Compromise (BEC) Part 1 of 5: Data Theft Scam

by | May 8, 2019 | Cyber Fraud

It seems a new name of a new ransomware is making the rounds every week, and cybercrime is forever on the rise.
How can a business protect its network from the multitude of viruses, Trojans, and hackers that are out there working to invade networks, seeking to compromise them with the objective of either demanding money or stealing information?

The FBI just released its 2018 Internet Crime Report, which the Internet Crime Complaint division puts out annually. In it, the FBI identifies that the most successful avenue used to gain access to networks is pretty simple: the act of misrepresentation. Most of this misrepresentation does not hinge on tech savvy methods, either. It hinges on social engineering.

Social Engineering in Information Security

Most people recognize the term ‘social engineering’ as attempts to make social change. Efforts to improve attitudes about recycling plastic bottles might be called ‘social engineering.’ But in the world of information security, ‘social engineering’ means the use of deception and manipulation to lure individuals to furnish confidential information. These information security ‘social engineer’ practitioners are simply old-fashioned confidence artists. As such, the con men (and women) still work with the same skills as they ever did. The only difference now is that their toolbox includes social media, mobile phones and email as tools of the trade. To protect yourself from them requires you to just understand what new material they are applying to their old schemes.

The FBI has grouped BEC scam tactics into 5 categories. Here is the first one:

Data Theft Scam

Typical Target: HR and Bookkeeping staff

Method of Manipulation: By impersonating an employee and calling or emailing the HR department (they may spoof the phone number or the email address to look legitimate), the social engineer will be after any of the following:

  • to obtain a person’s email address
  • gain access to a person’s identity information (social security number, driver’s license number, or passport number)
  • attempting to acquire a person’s network account information, or bank account information, or tax statement information.

Objective: Collecting this information leads to possessing the information needed to get away with all sorts of mischief, from emptying a business’ bank account to collecting the credentials needed to breach the business network in a future malware attack.

So, how do you defend your business from this scam?

The Best Defense is Employee Education

Helping employees learn how to spot spoofing emails, and how to authenticate phone calls, are critical to guarding your business from bad actors. Teach them how to identify false disguises. Equip them with protocols for responding to threats of this sort, when they are identified. It is your employees’ access to the network that fraudsters often hope to compromise. Staff members need knowledge to protect the network gates they guard.

Email Security Solutions are Available

Email is, by far, the largest attack vector for cybercriminals. Why? Because it works. Even with every employee equipped with comprehensive education, employees get tired and distracted with the other cares of work. Just one innocent lapse of judgement can lead to a world of hurt for a company. Therefore, we highly recommend that an email security solution be part of a business’ security posture. The technology exists to block fraudulent emails.

Hybrid VDI - Total Economic Impact of VMWare End User Computing