Ransomware gets headlines, but business email compromise is a bigger threat

Rohan Pearce

email stock image
Image via Computerworld

High-profile ransomware incidents such as the WannaCry and NotPetya outbreaks have grabbed headlines this year, but according to networking vendor Cisco the rise of 'business email compromise' (BEC) often represents a more significant financial threat for organisations.

"BEC scams are aimed at big targets - and big targets have fallen victim to them, even though such organizations may have mature threat defenses and safeguards against fraud," state's Cisco's midyear cyber security report.

"Both Facebook and Google have been victims of BECs and wire fraud. Because BEC messages don't contain malware or suspect links, they can usually bypass all but the most sophisticated threat defense tools."

Figures from the FBI's Internet Crime Complaint Centre (IC3) reveal that between October 2013 and December 2016 it received more than 24,000 complaints from US and international victims of BCE with a combined exposed dollar loss of almost US$1.6 billion ('exposed dollar loss' includes actual and attempted loss).

However, drawing on multiple sources IC3 says it is aware of more than 40,000 BCE incidents in that same timeframe with a combined exposed dollar loss in excess of US$5 billion.

In contrast, ransomware has been estimated to cost around US$1 billion a year in the US, according to Cisco.

"BEC differs from other email-based threats because it generally involves impersonating an authorised or credentialed person within a company to direct another person whom has financial authority to transfer funds outside of the company, generally to an offshore account," said Anthony Stitt, general manager of security for Cisco Australia and New Zealand.

"For example, a CFO emailing a financial controller requesting urgent payment of an invoice. Unlike other forms of email threats, BEC doesn't involve technical exploitation via malware attachments or links to malicious websites, which one might normally associate or expect with phishing.

"Essentially, the fraudsters are attempting make an illegitimate request look legitimate, with the sums of money often comparably large, which is another key differentiator of BEC to other email-based security threats."

Stitt said that Cisco hasn't complied figures for the impact of BEC on Australia, but anecdotally the company knows of big, small and medium organisations hit by the scam.

"At Cisco, we've spoken to organisations that have been the target of such attacks or traps, with large sums involved - four, five, six, seven, eight figures - although most requests commonly fall in the $25,000 to $50,000 range," he said.

The target of BEC can be anyone with the credentials to conduct or authorise a transfer of funds, with criminals often performing substantial research to target the right individual with the right messaging, he said.

1  2  Next Page