Not only viruses
Protecting a company from cyberattacks with an antivirus is always a good idea. But here's the problem: tangible damage to organizations is also caused by attacks based on social engineering methods. To gain access to the information they need, scammers play on the peculiarities of people's psychology, and they do it extremely successfully. Many experts rank social engineering as the second most common attack method after cyber-intrusions using malware. Globally, over three years, companies around the world have lost more than $30 billion in business email address compromise incidents.
Criminal trail
Email compromise cyber fraud is on the rise. Recently, law enforcement officers covered the criminals in Spain - before the arrest, they managed to fraudulently receive 10 million euros from the victims. A fraudster from Canada single-handedly fooled utilities: pretending to be a contractor, he received $ 1 million in his account. Now the FBI is investigating the crimes of an organized group of almost 300 people who fraudulently earned about $ 120 million.
In addition to a high average check, BEC attacks (Business Email Compromise) boast a low “entry threshold” for scammers. To commit such crimes, no special knowledge in creating computer malware is required. It's enough just not to be afraid to spend time studying the victim. The attacker collects as much data about the company as possible. He gets information about managers and accountants, finds out who makes cashless transfers, gets the email addresses of these people. And he does the same with his counterparties.
All this scrupulous work is only aimed at understanding how the business process associated with financial transactions works in the victim company, who controls it and who gives the go-ahead for each transfer of funds.
When the data is collected, the initiators of the attack, under the guise of a counterparty, enter into electronic correspondence with the organization. But before they initiate this correspondence, they forge a future message. This can be done without any programming skills. It is enough to use online services for generating fake emails, such as spoofbox.com and anonymailer.net. The most interesting thing is that these and other services are not prohibited by anyone. The official version of their existence is to play pranks on friends.
"Oscar" to this gentleman!
As soon as the letter is ready, it is “charged” into correspondence with the victim. Fraudsters are subtle psychologists. They act so delicately that they make the victim believe that in front of her is a real partner or contractor, to whom you can send money with peace of mind.
Trust is also facilitated by the fact that BEC attacks do not motivate the victim to take any action that may lead to suspicion. Let's say emails from hackers don't have any links to click on or questionable attachments to open. Since there are no “red flags” in communication, the victim continues to communicate without even suspecting that he is talking to a scammer.
The saddest thing is that the victims realize their mistakes after quite a long time. Sometimes by accident: as a rule, someone else pushes them to think that they were fooled.
For example, one American priest was very surprised when he received a call from a company that was engaged in the reconstruction of a church building and asked why the holy father was delaying payment for the work, and when the builders would finally see the money. He was surprised because he knew: the transfer was already quite a long time ago, and he was aware of it. At the same time, shortly before payment, the church parish received an official email from the construction company about the change of details. After clarifying the data on the payment, everything became clear: instead of the construction company, the money went to another recipient. On this track a rather large amount is lost.
How to protect yourself from email fraud
What can be done to prevent falling into similar situations? Obviously - to put a technological barrier to scammers. An effective and functional tool for this is MDaemon SecurityGateway for Email Servers. As part of this solution, system administrators have the ability to conclusively counter almost the full range of threats. Here are some quick tips for admins:
• Turn on email verification. This will help to understand whether the address from which the letter with the request for payment came is existing and legitimate;
• Use a virus scan for incoming and outgoing messages;
• Require users to use only strong passwords, as well as SMTP authorization and two-factor authentication;
• Protect your domain from spoofing by enabling SPF verification, DKIM signing, and DMARC policy.
Of course, it will be useful to conduct trainings for the company's staff and regularly remind them of safety recommendations. Here are the most obvious ones:
• Do not "shine" corporate email addresses in social networks;
• Do not open email from unknown sources;
• Check all requests for bank transfers - call counterparties or meet in person;
• Know the business processes of customers and suppliers and be able to notice oddities in their behavior;
• Use two-factor authentication;
• Don't reply to emails with replays! Use the “Forward” function and only then manually enter the appropriate email address.
Be aware of the risks, keep your businesses safe, and secure your email communications with MDaemon SecurityGateway for Email Servers.
Do you have any questions? Please contact us!