October marks the observance of National Cybersecurity Awareness Month (NCSAM). Launched in 2004 by the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has evolved from a national affair to a global recognition, owing to the fact that cyber threats transcend international borders.
There is a common misconception among small business owners that their companies are too insignificant to be targeted by cyberattacks. However, the truth is that no business is immune. The stats from Accenture’s Cost of Cybercrime Study indicate that almost 43% of cyberattacks are aimed at small businesses, and shockingly, only 14% of these businesses are adequately prepared to counter such attacks.
A key aspect of cyberthreats that is often overlooked, but deserves attention, is email security. Seth Blank, the CTO of email security provider Valimail, emphasizes the significance of email security in combating cyberthreats. In fact, the FBI’s Internet Crime Complaint Center (IC3) revealed in a public service announcement that business email compromise (BEC) and email account compromise (EAC) fraud have caused extensive damage. From October 2013 to December 2022, the cumulative global losses from the BEC scam amounted to nearly $51 billion, with the United States alone accounting for over $17 billion of the total.
Types of Email Scams
Business Email Compromise (BEC)
BEC is a sophisticated scam that targets both businesses and individuals who handle legitimate transfer-of-funds requests. The modus operandi involves compromising genuine business or personal email accounts through social engineering or computer intrusion to initiate unauthorized fund transfers. However, the scam is not limited to financial transfers alone. Some variations of BEC involve compromising business email accounts and soliciting the employees’ Personally Identifiable Information (PII), Wage and Tax Statement (W-2) forms, and more.
The FBI highlights that BEC has undergone transformations over the years, with a particular focus on exploiting small local businesses. For instance, there has been a surge in BEC reporting within the real estate sector in recent times.
Blank underscores the fact that email is a battleground for highly sophisticated social engineering attacks, including spear-phishing and whaling. These attacks capitalize on the absence of customary cues relied upon for assessing trust, such as facial expressions or tone of voice.
Spear-Phishing: A Targeted Threat
Spear-phishing email scams are highly targeted, personalized phishing attacks designed to deceive individuals or businesses into disclosing sensitive information or clicking on malicious links. Unlike traditional phishing emails sent to large groups, spear-phishing emails are meticulously crafted to include information specific to the victim’s job, personal life, or interests. Consequently, they appear more authentic and persuasive.
The primary objective of spear-phishing emails is to pilfer sensitive information like usernames, passwords, credit card details, and Social Security numbers. Additionally, these emails can introduce malware into the victim’s computer, enabling rapid propagation across the organization’s network. Below are examples of spear-phishing email scams:
- An accounting employee receives an email purportedly from the employer or a manager, urging them to transfer a substantial sum to a new account.
- An email seemingly from the bank, requesting the recipient to update their account details.
- An email from a shipping company, urging the recipient to click on a link for package tracking purposes.
- An email from a social media company, prompting the recipient to reset their password.
- An email from a government agency, soliciting personal information.
It is critical to ensure that all employees are familiar with the warning signs of spear-phishing emails and avoid clicking on anything that appears suspicious. One useful technique is to hover over links to verify the actual URL before clicking.
If an employee inadvertently clicks on a spear-phishing email, they should immediately report it to the relevant IT department. Promptly contact your bank and credit card companies to notify them of potential fraudulent activity. Furthermore, instruct all your employees to change their passwords, without exceptions, and enable two-factor authentication for all online accounts.
Whaling: An Advanced Spear-Phishing Scam
Whaling scams specifically target business owners, CEOs, CFOs, and other high-ranking executives. These scams are characterized by exceptional sophistication, making them difficult to detect.
Whaling scammers invest considerable effort in gathering information about their targets, including job titles, email addresses, phone numbers, and personal interests. Armed with these details, scammers personalize their emails to enhance credibility.
The primary objective of whaling scams is to defraud businesses by stealing money or sensitive information. For example, a whaling scammer may send an email to a CEO disguised as the company’s CFO, requesting approval for a substantial wire transfer to a new account. The unsuspecting CEO, assuming the email to be legitimate, approves the transfer, resulting in the scammer absconding with the funds.
Moreover, whaling scams are frequently utilized to introduce malware into victims’ computers, facilitating the theft of sensitive information like login credentials and trade secrets.
To guard against whaling scams, it is imperative for you and your accounting department to exercise extreme caution when faced with emails requesting significant sums or sensitive information.
Enhance Your Email Security Measures
According to Seth Blank, the number of cyberattacks beginning with phishing attempts has escalated to a staggering 91%. Amidst this alarming trend, it is easy to overlook the criticality of email security. However, the rising statistics indicate that the problem is not only persistent but also worsening exponentially.
Considering this, Blank suggests reinforcing your email security or else facing dire consequences. The onus is on you to take proactive measures without delay.