For businesses to thrive, employees must communicate. Among a growing number of platforms that facilitate business communications, email is the primary vehicle for most organizations. Since email makes an employee reachable, cybercriminals often use it to commit fraud and/or breach a company’s IT defenses.
This article will describe how cybercriminals take over email communications for their benefit and the steps your organization can take to protect itself.
Phishing is a particularly dangerous attack perpetrated via email. An employee can be tricked into revealing sensitive information, such as their login credentials, bank account numbers, or any other form of data that criminals can then monetize.
According to Verizon’s 2022 Data Breach Investigations Report, on average, employees click on 2.9% of phishing emails. While that number sounds small, if just one employee shares login credentials to their employer’s bank account, the returns can quickly pay for the time and effort it took cybercriminals to run the phishing campaign.
Business email compromise (BEC) schemes are a leading source of losses. BEC schemes involve criminals sending an email that appears to come from a known source making a reasonable request. To trick the recipient into trusting the email and acting on it, criminals might create email accounts with similar addresses or send personalized emails directly to their target, known as spear-phishing for its focused approach. In more sophisticated scams, criminals might compromise an organization’s email system and assume direct control of a key individual’s electronic communications.
Whether cybercriminals use phishing or BEC, the goal of cybercriminals is to use your company’s email in an attack. Here’s how to make it difficult for cybercriminals to strike your organization.
When opening emails, a healthy degree of skepticism can be the difference between an attack that fails and one that exacts a heavy toll. In a rush to open and respond to emails, many employees do not take the time to scrutinize their messages.
“When you look at an email, if it looks wrong, it is wrong,” says Raymond Olsen, senior vice president and director of fraud management at Wintrust. He encourages everyone to pay attention to the details. “People may look at the body of the email. They need to look at the email address as well.” A thorough check includes paying attention to warnings embedded in emails notifying the recipient that the message was sent from an outside account.
To help prevent an attack, many organizations require employees to participate in security training. If an employee avoids such training or earns a failing grade, you could require that they pass the class before they can return to their work. Additionally, your business could send emails to test employees’ ability to avoid opening and interacting with suspicious messages. Considering some form of discipline if an employee consistently falls prey to suspicious test emails, could include requiring them to retake security training classes, notifying their supervisor, documenting the mistake in their performance review, or other forms of discipline to stress the importance of safe email practices.
Cybercriminals continually evolve their approach to stay several steps ahead of the organizations they intend to attack. Make sure your security department keeps close tabs on cybercriminals’ latest tools and techniques. Use this intelligence to assess your organization’s security program and your technology’s effectiveness in detecting and preventing attacks. This includes reviewing your organization’s security policies and procedures along with how often employees comply with them. For example, if your company requires complex passwords and multifactor authentication, does the technology exist to ensure compliance?
Businesses should not overlook the role of the bank in preventing cybercrime. Your bank’s fraud department can share best practices to avoid phishing, BEC attacks, and other forms of cybercrime. It can also provide access to tools to help detect and prevent payment fraud.
Phishing and BEC schemes will exist for as long as organizations use email to communicate. Protecting this critical communication channel requires encouraging employees to exercise a moment of caution when opening emails, training them to detect suspicious messages, and continually evolving your security program to detect and prevent attacks.
For more information on scams targeting your business, and measures you can take to protect it, visit our security page.