Employees certainly need more training to be able to detect a business email compromise (BEC) when they see one. What makes this so difficult, some analysts say, is that when an employee is directed by a seemingly legitimate C-Suite executive at their company to initiate an invoice payment, an employee isn’t likely to disobey orders from upstairs.
The problem persists, and evidence suggests it’s getting worse, with recent research from TD Bank revealing news that 91 percent of survey respondents expect B2B payments fraud and invoice scams like business email compromises to increase in the coming years. A fifth of survey respondents who had been hit by some type of cyberattack said it was the result of a BEC, making this cybercrime the number one tactic fraudsters use.
The majority of employees lack the education needed to detect such invoice scams and cyberattacks, according to separate research from MediaPro released last year, with the data representing the cost of human error in these cases, the company said.
Here’s the problem: The professional who falls victim to eInvoice scams like the business email compromise is, more often than not, a C-Suite executive. Yes, that includes the CEOs themselves, says the latest analysis from Trend Micro.
Its “2017 Midyear Security Roundup: The Cost of Compromise” report found that nearly 42 percent of BEC cyberattacks occurred because the CEO fell for the eInvoice scam. Managing directors and directors accounted for more than 28 percent of the compromises, while presidents accounted for nearly 7 percent.
The CFO is the most commonly targeted professional in the enterprise when it comes to business email compromises, the report noted.
“High-ranking executives and rank-and-file employees alike, if uninitiated, could be duped into sending funds via wire transfer or revealing information necessary for cybercriminals to pull off their fraudulent schemes,” Trend Micro warned in its report, as reported in the International Business Times.
“Amid a heightened focus on CEO scams, there was also a resurgence of old techniques used in BEC,” the report found. “One of these is the supplier swindle scheme, in which cybercriminals spoof a company related to or doing business with their target, rather than a C-level executive from the same organization.”
Additional Attacks Putting the Enterprise at Risk
The business email compromise is a damaging threat to the enterprise, especially U.S. firms, in which nearly 31 percent of worldwide BEC attacks have occurred since the start of the year. So far, more than 3,000 BEC scams have been detected by Trend Micro, the company noted, with such B2B payments scams accumulating $5.3 billion in total losses since 2013.
But it’s not the only cybercrime that’s putting the enterprise at risk.
Trend Micro pointed to the WannaCry and Petya ransomware cyberattacks this year, for example, that led to total losses of up to $4 billion at companies across the world. The company said it detected more than 82 million ransomware attacks in the first half of 2017 alone.
Interestingly, Trend Micro noted, the number of ransomware attacks appears to have plateaued this year.
“Nevertheless,” the report said, “this period of relative stabilization sees cybercriminals focusing on diversifying in terms of potential victims, platforms and bigger targets.”
In a statement, Trend Micro CIO Max Cheng noted that the cyber threat on the enterprise will be one that continues, and companies need to react accordingly.
“Enterprises need to prioritize funds for effective security up front, as the cost of a breach is frequently more than a company’s budget can sustain,” he stated. “Major cyberattacks against enterprises globally have continued to be a hot button topic this year, and this trend is likely to continue through the remainder of 2017. It’s integral to the continued success of organizations to stop thinking of digital security as merely protecting information, but instead as an investment in the company’s future.”