Anyone using an email at work, and particularly those individuals with access to vital information and business funds, needs to be wary of a rising threat. Business email compromise (BEC), otherwise known as phishing, can cost a company millions of dollars, according to a new whitepaper from Tokio Marine HCC.
The scam works like this: cybercriminals gain access to a company email and impersonate a co-worker, manager or other trusted business partner. They then use that access to steal sensitive data and money through fraudulent wire transfer requests, fake invoices, payroll diversions and more.
“Oftentimes, the emails of CEOs, presidents, CFOs and accounting managers are the ones targeted by criminals making requests for financial arrangements or for documents containing personnel information,” said Jeremy Barnett, co-global marketing leader at Tokio Marine HCC. “The cybercriminal can use access to an email to determine the tone, nature and style of which wire transfers or payments are requested through that account. Then, the criminal poses as that user and makes a similar type of request for payment for a wire transfer or request for information of employee tax IDs, for example, that can then be used for all sorts of nefarious purposes.”
Tokio Marine HCC has seen businesses lose funds ranging in the six figures based on BEC, believing that they were making payments to vendors or transferring payments to accounts that they thought were legitimate but were actually criminal accounts.
“It is a huge and instant financial hit on the business,” said Barnett.
As a result, it’s important that companies protect their employees’ emails, which can prove to be difficult because the suspicious messages used in the BEC scam usually don’t contain malware and can be hard for common email filtering software to detect. However, Tokio Marine HCC’s new whitepaper on business email compromise outlines four effective strategies that companies can use to defend their assets from this threat.
The first is to enable dual-factor authentication, which is the easiest and most effective step an organization can take to reduce the risk of email fraud. When logging into an email account, the user must first provide log-in information before receiving a code on his or her mobile device that must then be input as well.
“It gives another layer of protection to confirm that the user who’s trying to access the website is also the user who has the registered mobile device,” explained Barnett.
Employee training is another important strategy that companies can implement to prevent becoming victims of BEC because when people in an organization are aware of these types of schemes, they can keep an eye out for the signs of nefarious communication landing in their inboxes. According to Tokio Marine HCC, employees need to know not to click on links if they’re from an unknown sender and confirm financial transactions in person prior to sending funds.
“The company is only as strong as its weakest link, and the weakest link is often the employees,” said Barnett. “If there’s a request for payment or request for sensitive information, always call the person or walk over to the person before you go ahead and send it digitally.”
Tokio Marine HCC is also encouraging its clients to use a variety of software tools to help them fight off the BEC threat, from spam filtering to next generation antivirus solutions that can identify whether a user’s command makes sense based on their typical activity.
“The next generation of antivirus tools also communicate back to the cloud, where there’s constant updates of known viruses and attacks,” added Barnett.
Organizations would do well to implement the four strategies outlined by Tokio Marine HCC, especially because they’re cost-effective compared to the heavy price tag of email fraud.
“Preventative health is a lot less expensive than having to go to surgery for something that’s been neglected for so long in our own personal health,” said Barnett. “Similarly, with an organization, the idea of putting effort into prevention is a lot cheaper and more effective than dealing with it after there’s an incident.”
Tokio Marine HCC is dedicated to protecting its customers beyond providing insurance. Because cybercrime is so sophisticated today, it’s inevitable that companies will be targeted and knowing how to defend against BEC threats will help companies stay ahead of this evolving cyber risk.
“It’s important for us to provide up-to-date information and alerts on what cyber risks are emerging, work with the experts around the country to understand best practices to mitigate those risks and share that information with our clients and partners,” Barnett told Insurance Business. “We need to stem the tide of cybercrime; the only way to do it is constantly providing better information and better strategies to reduce the risk.”
