As 2022 comes to a close, we’d like to take a look back at the cybersecurity vulnerabilities, why they are still relevant, and why they deserve continued attention.
While Business Email Compromise came from humble beginnings – remember the fraudulent asks for gift cards – BEC continues to grow, both in prevalence and sophistication. BEC remains the costliest cybercrime in the United States, with the FBI alone receiving over 20,000 complaints totaling $2.4 billion in adjusted losses in the last year.
Today, email compromise schemes are more sophisticated and prey on the COVID-inspired remote work trend. One example of the increasing sophistication: Bad Actors compromise emails from high-ranking company officials and request a virtual meeting with employees. They use deep-faked video (or a still image and claim to have video and audio glitches) to request wire transfers. After the funds are delivered, the perpetrators move the money into cryptocurrency to throw off attempts at tracking or recovery.
Another vector is Tech Support Fraud (TSF). TSF occurs when scammers impersonate a company’s IT services or a well-known tech company and offer to fix non-existent problems. Losses from tech support fraud doubled in the past year to nearly $350 million and have increased by more than $330 million in the past five years.
Then there are social engineering or vishing attacks, more elaborate schemes that require deep planning and research by the perpetrators.
This type of attack involves a threat actor who impersonates someone to trick a target into providing money or data. It’s one of the most difficult attack vectors to control because it relies heavily on the target’s subjective judgment. Bad actors continue to develop improved tactics and tools that support these types of attacks, to both by-pass multi-factor authentication and more traditional anti-phishing techniques.
SEO poisoning likewise preys on the target’s subjective judgement. It has been described as “phishing using search engines” because attackers use the same methods as legitimate businesses trying to rank higher in online search results, this making the malicious actor’s links more likely to be clicked-on, with resulting chaos and malfeasance.
Fighting cyber-attacks and increasing digital security
There are several ways to help protect your business:
- Get a Social Engineering Assessment. A Social Engineering Assessment helps you understand where security vulnerabilities exist in your organization. Employee actions are often a failure point in an organization’s cybersecurity. Regular testing and training focuses on integrating security as part of the corporate culture. A compromise assessment service uncovers whether a threat actor already may have a foothold — an invaluable tool given today’s decentralized workforces.
- Regularly train employees about evolving threats. Most workers don’t read cybersecurity news, so new attack vectors, and revised iterations of old favorites, likely aren’t on their radar.
- Two-factor authentication — using an independent method to verify an identity —can often put an early stop to fraud. Two-factor authentication, such as requiring a code that is texted to a previously saved phone number in order to sign in, can also protect email accounts and thus reduce BEC exposure.
- Always be on guard against unsolicited requests for login or other personal information.
- Make sure URLs and domain names are correct and consistent, in emails and search results.
- Spelling and grammar errors in email addresses or body should put you on guard, as should emails sent at odd times, like in the middle of the night.
With cybercrime’s continued growth in both prevalence and cost, prevention is worth some time and money. Digital Silence strives to be the down-to-earth, sophisticated partner you want on your team, and we have a unique breadth of industry experience that lets us align our work with your specific business priorities. Let us help protect you.