Tens of billions of emails are sent every single day. Not all of them have that document you’ve been waiting weeks to receive. In fact, an estimated 3.4 billion emails are sent by cybercriminals every day.
But how often are they being opened? Phishing attacks have an open rate between 17% and 53%, depending on how personalized they are. The FBI estimates that business email compromise (BEC) has caused over $50 billion dollars in domestic and international loss in less than 10 years.
So, needless to say, BEC is a hotbed for cybercrime and a dangerous threat to your bank.
What Is Business Email Compromise (BEC) and How Does it Work?
Business email compromise is a sophisticated form of cybercrime where attackers manipulate email communications to trick employees into divulging sensitive information or performing unauthorized transactions. There are two primary categories:
- Phishing Emails:
These are fraudulent emails designed to mimic legitimate correspondence from trusted sources, such as bank executives or reputable clients. Through carefully crafted messages, cybercriminals aim to deceive recipients into divulging sensitive information or executing financial transactions.
- Account Takeover:
In this scenario, attackers gain unauthorized access to email accounts, allowing them to monitor communications, manipulate information, and orchestrate fraudulent transactions while impersonating legitimate users.
What Might a Business Email Compromise Look Like at Your Bank?
BEC relies on human error. Attackers use social engineering tactics and psychological manipulation to trick employees into making mistakes. Here are some common examples of BEC attacks that can occur at your bank:
1. CEO Fraud or Executive Impersonation:
In this scenario, a cybercriminal might impersonate the bank’s CEO or another high-ranking executive. They craft a convincing email requesting urgent fund transfers or sensitive financial information from lower-level employees.
The email might appear legitimate, often exploiting the urgency and authority associated with executive communications. For instance, the email could request a wire transfer for an alleged confidential acquisition or urgently request personally identifiable information (PII) under the guise of regulatory compliance.
2. Vendor/Supplier Fraud:
Cybercriminals might compromise or spoof the email accounts of vendors or suppliers regularly engaged with the bank. They then send fraudulent invoices or payment requests to the bank’s finance department, asking for payments to be redirected to a new or modified account under the cybercriminal’s control.
These emails might appear authentic, mimicking the vendor’s typical communication style and using familiar logos or language to deceive employees.
3. Account Compromise and Employee Impersonation:
A cybercriminal gains unauthorized access to an employee’s email account through phishing or social engineering tactics.
With control over the account, they use it to send seemingly genuine emails to other colleagues within the bank. These emails might request confidential information, initiate fund transfers, or manipulate employees into downloading malware-infected attachments or clicking on malicious links.
4. CEO/CFO Email Spoofing:
Hackers may spoof the email addresses of the bank’s top executives, altering the email domain slightly to create a convincing imitation. These emails often target HR or finance departments, requesting employee tax information, and payroll details, or prompting financial transactions.
In each scenario, cybercriminals exploit human vulnerabilities by leveraging trust, authority, urgency, or familiarity. They carefully craft deceptive emails that mimic legitimate communications, aiming to manipulate employees into taking actions that compromise security or lead to financial losses for the bank.
What Is There to Do About It? Effective Changes You Can Make to Bank Cybersecurity
To improve your bank cybersecurity, simple tools and measures serve as shields against business email compromise:
Cybersecurity Training for Employees
Empowering employees with comprehensive cybersecurity training is pivotal. Educating staff members about the tactics employed by cybercriminals and fostering a culture of vigilance significantly reduce the risk of falling victim to BEC attacks.
Training for the Board
It’s essential to extend cybersecurity education to the board members, equipping them with the knowledge to recognize and mitigate cyber risks effectively.
Implementing robust anti-spam filters helps in identifying and filtering out potentially malicious emails before they reach employees’ inboxes, reducing the chances of successful BEC attacks.
Email Authentication Measures
Deploying authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) can thwart email spoofing attempts, preventing unauthorized emails from impersonating legitimate sources.
Multi-Factor Authentication (MFA)
MFA adds an additional layer of security by requiring multiple forms of verification before granting access to sensitive systems or performing transactions. This significantly mitigates the risk of unauthorized access even if credentials are compromised.
Avoid Hacking Attempts With RESULTS Technology
Business email compromise is an ever-growing threat, causing billions of dollars in losses every year. By implementing simple security measures and educating employees, your bank can significantly reduce its risk of falling victim to BEC attacks.
At RESULTS Technology, we offer comprehensive cybersecurity solutions tailored to the unique needs of community banks. Contact us today to learn more about how we can help safeguard your workforce against cyber threats.