mail being filtered through brick wall: business email compromisesIf you have Mailworx from Alvaka, or a similar email spam filtering solution, then good for you. If you do internal education and phishing tests of your employees, then double-good! At Alvaka Networks, we have seen a number of business email compromises — the largest one costing three quarters of a million dollars. I used to think that phishing exploits such as these were stories of lore…until I started seeing it myself. The threat is very real.

To protect yourself (and your firm) from phishing, spear-phishing, whaling and other forms of business email compromise (BEC), you need to be scanning your emails with a system that not only blocks  the spam, but also the messages that present cyber threats to your company. Modern spam filtering services look for language consistent with phishing threats. More advanced email protection services, like our Advanced Mailworx service, will scan attachments for threatening content such as malware or embedded scripts designed to do bad things. Plus, any Internet links in the emails are scanned for known bad sites. If any are found, they are blocked.

“Business email compromise overtakes ransomware as top cyber threat”, a story in TechCentral, presents data from a study by AIG of 2018 cyber insurance claims. Here are some interesting quotes from the article:

  • “After BEC, ransomware was the second biggest offender in 2018, followed by data breach by hackers and data breach by employee negligence tied in third place.”
  • “The insurance giant analysed over 1,100 of its EMEA claims from the years 2012 to 2018 for the report. Almost a quarter (23%) of its 2018 cyber claims were BEC related; a significant jump from 11% in 2017.”
  • “In most cases, BEC can be traced back to a phishing email containing a link or attachment.”
  • “Firstly, it tells us that ‘BEC is one of the most consistent and effective forms of attacks against business users.’ Secondly, it yields considerable financial returns, that are ‘in our experience typically a larger return-per-attack than other categories, such as ransomware.’”
  • “Organisations should also ‘consider simple quick wins around technical controls such as implementation of effective multi-factor authentication, along with stronger email controls such as implementation of DMARC, effective email content security etc.’”
  • “If you think BEC is bad, just wait until you see what is coming next – AI being used to make phone calls that sound just like they are coming from your boss — with his or her voice speaking to you and instructing you to make a payment… that’s already happening and someone just lost £200,000 to such a fraud.”
  • “…the fallibility of people is taken advantage of, not any cyber vulnerability. [BEC] is not cyber-crime,” he said, “but fraud, plain and simple. If you don’t believe me – try claiming for BEC on a cyber insurance policy; you will quickly and politely be told to contact your fraud insurer instead.”
  • “The AIG report warns that companies should double-check insurance policies, and review what they cover and what they exclude. BEC may not be included under cyber-insurance, but may be covered under generic crime insurance. As such, people are buying coverage to protect against a wider range of losses than ever before.” [BTW – Alvaka has just bundled $250,000 of cyber-breach insurance into our Patchworx service. The really good news is that insurance is good for breaches other than those emanating from a patching incident.]
  • “It’s important to stress that the cyber attacker and the types of attacks against organisations are constantly shifting and evolving as organisations and the industry deploy better and more sophisticated controls against a particular set of attacks based on intelligence and knowledge,” said Larkin.
  • Financial services firms have long been the hardest hit by cyber-attacks, but last year, the professional services sector fared worse. Year-on-year, the number of claims stemming from professional services, including legal and accountancy firms, increased from 18% to 22%.
  • “The financial services sector was responsible for 15% of the claims in 2018, down from 18% the previous year. These figures do not tell the whole story however, as AIG said the total claim notifications from financial services customers nearly doubled between 2017 and 2018. Clearly the sector is still highly targeted despite its sophisticated approach to cyber risk.”
  • “The data shows that a vast array of sectors, including retail, manufacturing, and healthcare industries fell victim to attacks last year; no industry is immune to attacks.”
  • “However, not all firms are taking the necessary precautions. Last year, AIG found that just 55% of Fortune 500 companies have cyber-security insurance. For small to medium businesses, this figure is even lower, at just 35%. Often those businesses are the most vulnerable, when smaller businesses experience major data breaches, 60% fold within six months.”