Ransomware has hit the news this week because just across the pond from us our American neighbours have suffered a coordinated attack in the state of Texas. It’s affected local government departments and cyber-security, military and counter-terrorism units have been drafted in to fight the attack. No specific information has been given about the nature of the attack, but it sounds serious enough to bring in the cavalry.
But it’s not Ransomware that businesses and government departments need to be most worried about. According to a report produced by AIG called Cyber Claims: GDPR and business email compromise drive greater frequencies, it’s the business email compromise (BEC) that pose the biggest threat.
The findings of the report show that BEC has overtaken ransomware and data breach by hackers as the main driver of AIG EMEA cyber claims. It says that nearly a quarter of reported incidents in 2018 were due to BEC – and this has increased by 11% from the previous year (2017).
What is BEC?
BEC is defined as a form of cyber-crime which makes use of email fraud to attack commercial, Government and non-profit organisations. Examples of BEC attacks include invoice scams and spear phishing spoof attacks.
The attacks are conducted by criminals that are intent on gathering data to commit fraud and other criminal activities. Client’s information can also be compromised because access to work emails will result in criminals using the employee’s email address to defraud others in their contact list.
According to AIG’s report, a simple type of scam involves attackers homing in on employees that are responsible for requesting payments. They will spoof their accounts to impersonate these workers as well as anybody in the company’s C-suite to request money transfers into their accounts. Sometimes they’re even after-tax records or other types of sensitive data.
Some attackers are interested in harvesting the target company’s client and employee information – such as personal data. Alternatively, they also target confidential company information. Trade secrets are not out of bounds.
They’ve probably become a more popular form of attack as it’s so easy for these criminals to make emails coming from their victims look legitimate. While this type of crime is easy for criminals to conduct, it’s cheap to find a solution to it.
Mark Camillo, head of cyber for EMEA at AIG points out in the report: “These incidents are becoming more expensive to investigate. When a malicious actor gains access to the mailbox you have to do a deep dive, understand what information they may have gained access to and whether it has triggered any GDPR requirements.”
What’s the solution?
We’ve written about this before, but when it comes to General Data Protection Regulation rules you have to notify supervisory authorities of any breach of data within 72 hours of leaning about that breach. Specific details of the compromise must be shared as well as the number of people affected. Victims need to be informed as quickly as possible.
So, what are the solutions to these types of attacks? Well, cyber insurance to mitigate the risk is of course one solution. But the reports also highlight the need to educate employees that are in charge of sensitive information.
Employees are getting the basics wrong. It’s pointed out that something as simple as poor password hygiene is a recurring issue for firms targeted by BEC. It’s vital to activate Microsoft Office 365 security functions and enable multi-factor authentication.
Building staff awareness of the types of BEC attacks is vital and there needs to be clear, step-by-step action that needs to be followed if there is a breach. If employee education is lacking and if your security protocols are not 100% clear, it may be time to draft in experts. Hiring companies like SchemeServe to reduce the likelihood of data breaches and to help you ensure you’ve got a plan in place should the worst happen is paramount. BEC attacks can lead to reputational damage that your business may not survive. Few want to deal with companies that have suffered major breaches to their personal or client data.