If your boss sends you an email, would you ignore it? Scammers know you probably won’t…
According to the Federal Bureau of Investigations (FBI). This serious and growing fraud has tripled over the last three years and jumped 50% in the first three months of 2019 compared to the same period in 2018.
The FBI recognizes at least six types of cyber-attack email activity as Business Email Compromise (BEC) fraud. The types differ by who appears to be the email sender:
- The CEO directing the CFO to wire money to someone.
- Vendors or suppliers asking that invoice payment be made to a different bank account.
- Executives requesting copies of employee tax information such as W-2 forms in the U.S.
- Realtors, title companies, or lawyers redirecting proceeds from sales of homes or other real estates into a new account.
- Senior employees seeking to have their pay deposited into a new bank account.
- An employer or clergyman appealing to the recipient to buy gift cards on their behalf.
Normally, you would have no reason to closely examine an email received from a superior if nothing immediately causes suspicion. We tend to believe the email is from the person whose name is in the sender line and focus our attention on getting through the dozens of other emails we received. The emails are carefully crafted to look believable, and they almost always claim a sense of urgency.
This type of fraud employs many clever techniques brought about by “social engineering” (the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes). to identify key employees and send emails directly to them and attacks are 10 times more likely to produce a victim if the target answers an initial probe email, such as “Are you at your desk to make a payment?” Some BEC emails really do come from the CEO’s email account. They may come when the sender is out of the office, and the emails generally say the CEO is busy and does not want to be disturbed. The request is commanding, and employees who are nervous about bothering a busy CEO may decide to just follow orders and move quickly. Many BEC attacks are also timed to hit organizations around major holidays when there are more temporary employees, the senior executives are out of the office and people are reluctant to call them.
Untrained employees will open and take some action with a bogus phishing email 30% of the time. That is why cybersecurity and phishing training is so important for ALL employees in an organization. Statistics show that after going thru training including being subjected to bogus emails sent to test and see if people respond, only 2% of employees will interact with a bogus email. Once they know about and understand the danger, they rarely fall for these types of attacks anymore.
There is one problem with training though… many corporate leaders, who are often the targets of BEC fraud, order such training but don’t take it themselves, perhaps believing that they are too busy or that they are too smart to fall for such schemes.
Bottom line… if you ever get this kind of request, always double-check by CALLING that person to confirm, and even if it turns out to be a legitimate request, you should NEVER send confidential information, like social security numbers (or attachments with this information inside of them), without taking precautions to password-protect and encrypt the message first.
Remember, if it ever doesn’t seem right, it probably isn’t. By remaining vigilant and using your cyber-smarts, you can greatly reduce your risk of suffering a cyberattack. To help you stay cyber-smart, we offer quarterly cybersecurity training to keep you and your employees up to date on the latest threats and precautions you can take to survive the cyber jungle.
Every day, your business depends on information technology (IT) to operate. Thank you for letting us be there for you. Braver Technology Solutions | WeMakeITWork@BraverTechnology.com
Boston 617.315.8515 | Taunton 508.824.2260 | Providence 401.484.7900