Business Email Compromise Attacks Increase by Nearly 500%

Business Email Compromise Attacks Increase by Nearly 500%

Business email compromise attacks are designed to bypass traditional email security measures, such as spam filters.

Last year, the FBI reported that incidents of business email compromise (BEC), also known as spear phishing, CEO fraud, and invoice fraud, had been reported in all 50 states and 150 countries, with global losses exceeding $12 billion. BEC scams are continuing to explode in popularity among cyber criminals, with attacks increasing by 476% between Q4 2017 and Q4 2018, according to research from Proofpoint. Recently, a Lithuanian national pled guilty in U.S. court to his role in a BEC scheme that bilked Facebook and Alphabet out of more than $100 million.

Business Email Compromise Attacks Increase by Nearly 500%

What Is Business Email Compromise?

As opposed to traditional phishing scams, where identical messages are mass-emailed to thousands of recipients, BEC scams involve sending customized emails that target specific employees within a company, usually those who handle wire transfer payments or have access to sensitive information, such as employee payroll data. Before launching an attack, hackers research their targets in great detail, culling information from public sources such as social media networks and official company web properties.

After selecting a victim, hackers send the employee an email impersonating a company executive or business partner. Sometimes, the sender’s email address is spoofed; other times, hackers have obtained the real user’s login credentials and taken over their email account. The BEC email will contain an urgent request for a wire transfer, allegedly to pay a past-due invoice, or sensitive information, such as employee tax withholding forms. In one scheme the IRS issued an official warning about last year, the BEC emails requested both a wire transfer and employee tax data.

The BEC email warns of dire consequences should the recipient not act immediately, such as a delay on a time-sensitive parts shipment or the next round of employee paychecks. BEC emails are designed to look as realistic as possible, and sometimes, hackers will follow up with a phone call to add legitimacy and increase the victim’s sense of urgency. Thinking they’re doing the right thing, the recipient sends the money or data.

Sometimes, victims of BEC don’t realize they’ve been scammed until much later, such as when an impersonated vendor contacts the company about non-payment on a real invoice.

Preventing Business Email Compromise

Because business compromise emails do not contain malicious links or attachments, they usually bypass traditional email security measures, such as spam filters. However, there are technical solutions and non-technical controls companies can implement to help stem the tide, such as:

  • Implement multi-factor authentication (MFA) to protect against account takeovers.
  • Use the DMARC email security protocol to protect against domain spoofing.
  • Prohibit employees from using personal emails for company business and vice versa.
  • Talk to a cybersecurity professional about technical solutions that can identify compromised accounts, as well as solutions that block emails that contain sensitive data from being sent.
  • Avoid using a private email server. Most companies don’t have the in-house resources to secure and monitor one.
  • Ensure that all employees have appropriate and continuous cybersecurity training, including how to spot BEC scams.
  • Require that all sensitive operational procedures, such as making wire transfers or releasing employee payroll data, be authorized by more than one person.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Latest Anthem Breach Traced Back to Third-Party Vendor

New Anthem breach underscores the need to manage cyber risk throughout the enterprise ecosystem

New Anthem breach underscores the need to manage cyber risk throughout the enterprise ecosystem

Anthem – yes, that Anthem – has been hacked again. About a month after the beleaguered health insurer agreed to fork over a record-setting $115 million to settle a class action lawsuit related to its massive 2015 breach, it was breached again, or rather, one of its third-party vendors was. The 2017 Anthem breach involves approximately 18,000 Medicare members whose personal information was stolen by a malicious insider employed by LaunchPoint Ventures, a Medicare insurance coordination services firm. Healthcare IT News reports:

LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.

The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included.

New Anthem breach underscores the need to manage cyber risk throughout the enterprise ecosystem

Takeaways from the Latest Anthem Breach

The Anthem breach is the latest to underscore the need for organizations to manage cyber risk throughout their entire enterprise ecosystem. Anthem’s own systems weren’t hacked; their third-party vendor was. Other recent victims of third-party breaches include Netflix, the Republican National Committee, Trump Hotels, Verizon, and Google (which was impacted by a breach at third-party vendor of one of their third-party vendors).

As organizations outsource more and more IT services, from payroll to billing to web development, hackers are increasingly targeting these service providers. It is estimated that 63% of all enterprise breaches can be traced back to a third-party vendor. Hackers may choose to attack these service providers because many of them are smaller firms whose cyber security may not be as robust as that of the national or multinational corporation whose data they really want.

Know Your Vendors

The danger of third-party data breaches is one of the reasons why the U.S. Department of Defense is requiring not only its primary contractors, but any firm they subcontract DoD work to, to be compliant with the DFARS security standard by the end of 2017.

Private-sector organizations should take a cue from the DoD and only do business with IT service providers who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have proven their commitment to the highest levels of data security by undergoing rigorous security audits that require them to adhere to certain procedures and controls and put them in writing.

Likewise, IT service providers should obtain the appropriate data security certifications and demonstrate to their customers that they have strong security controls in place. Continuum GRC’s IT Audit Machine (ITAM) empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP, DFARS, and other federal and state mandates.

Don’t Expect to Pass the Buck

Just because a breach is your vendor’s fault doesn’t mean your organization will be shielded from liability. The $300 million Target breach, which resulted in both the CEO and the CISO losing their jobs, involved a third-party point-of-sale vendor.

The scope of potential liability just broadened; shortly after news of the Anthem breach broke, a U.S. Court of Appeals issued a ruling against health insurer CareFirst, allowing a class-action lawsuit filed by customers impacted by a 2014 breach to move forward. The ruling is expected to have wide implications, allowing customers not only of health insurers but any company to sue if their personal information is stolen.

Ensuring good governance, risk management, compliance, and cyber security throughout your enterprise ecosystem takes far less time and costs far less money than doing damage control after a breach happens.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Get Ready for Greater SEC, NFA Cyber Security Enforcement

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

Public companies and firms operating in regulated industries, especially finance, should expect more SEC, NFA cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.

In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.

“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC, NFA credentials yet. “That crosses not just this building, but all over the country.”

The SEC, NFA has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.

This follows on the heels of a risk bulletin the SEC, NFA released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.

Cyber Security Problems Uncovered During Regulatory Exams

Also contributing to the new SEC, NFA cyber security focus are widespread security lapses the SEC, NFA found during recent regulatory exams at financial companies, including:

  • Unauthorized disclosures of personally identifiable information (PII).
  • Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.
  • Third-party wires not being properly authenticated.
  • Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.

Penalties for non-compliance with SEC, NFA cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.

Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC, NFA is investigating Yahoo for its numerous data breaches.

Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side

A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC, NFA cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.

Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. To slash the time and money companies must devote to cyber security, Lazarus Alliance utilizes the Continuum GRC IT Audit Machine (ITAM), a proprietary RegTech software package with user-friendly self-help modules, including modules for the FINRA SEC, NFA Cyber Security Report Card and the FINRA Small Firm Cybersecurity Checklist. ITAM saves money, simplifies the compliance process, eliminates audit anarchy, and speeds up the GRC assessment and reporting processes by 180%.

The cost of cyber attacks and non-compliance penalties are much higher than preventing attacks and maintaining compliance in the first place.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.