Human, Artificial, and Email Attack Intelligence: Why You Need All Three

Human, Artificial, and Email Attack Intelligence: Why You Need All Three

By Cofense

It’s a staggering statistic: 50% of all email phishing attacks, including business email compromise (BEC) and credential theft, evade secure email gateways (SEGs). Yes, your SEG misses half of all advanced email attacks targeting your organization.

While credentials are appealing for threat actors, their end goal is far more nefarious – to compromise your business’s crown jewels such as customers’ personal identifiable information (PII) and confidential intellectual property (IP). To protect their valuable assets, organizations must deploy an intelligence-driven solution to counteract phishing attacks, which make up 91% of all cyberattacks.1 With this approach, organizations gain the upper hand against threat actors by proactively identifying trends, predicting threats and preventing attacks. However, a solution is only as effective as the intelligence that powers it. New attacks and tactics are developed every day and organizations need insights from multiple sources to identify the latest campaigns.

Cofense enables organizations to detect and respond to email phishing attacks evading traditional email security controls with a comprehensive platform powered by a combination of unique intelligence sources: human intelligence, artificial intelligence and email attack intelligence. Each of these sources, deployed through various products in the Phishing Detection and Response (PDR) platform, provides an important and necessary view into active phishing campaigns.

  • Human Intelligence is derived from a network effect of over 32 million reporters worldwide reporting real phish reaching their inboxes. More than 50% of attacks reported to the Cofense Phishing Defense Center (PDC) were reported in another PDC customer’s environment first, immediately arming the organization with the necessary indicators of compromise (IOCs) to stop the attack.

 

  • Artificial Intelligence comes from patent-pending “computer vision” technology deployed in Cofense Protect that reads emails as a human does and identifies if they are malicious. Of the threats identified by computer vision, 88% have never been seen before, enabling organizations deploying Protect in their environments to catch the newest attacks almost instantly.

 

  • Email Attack Intelligence, obtained from multiple sources, vets every single IOC distributed by Cofense. Our team of analysts reviews every IOC from our human and artificial intelligence sources, with customers experiencing – as they’ve told us – a “99.9% credibility rate.”

This unique combination of intelligence provides an unsurpassed source of insights into phishing campaigns, and powers our comprehensive platform to automatically identify and remove recently developed attacks, even if they haven’t been reported. In essence, Cofense sees threats that SEGs don’t.

Threat actors continuously evolve their tactics to bypass existing email security. To fully enable your SOC and mature from a reactive to proactive security posture, it’s imperative to deploy a solution powered by relevant data that evolves in real time to identify the next attack before it strikes your organization. Data is only as relevant as its sources, and organizations evaluating email security solutions should ask vendors to talk about how they power their technology. Data should derive from relevant, dynamic and distributable sources to ensure the solution evolves with the threat landscape and remains effective.

Cofense’s unique and relevant data ticks these boxes and fuels a cohesive solution that evolves your email security posture to stay ahead of the ever-changing threat landscape. Ask us how we can help your enterprise. Contact us today.

1 Deloitte, January 9, 2020: “91% of all cyber attacks begin with a phishing email,” https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

How Aligning Security Awareness and Security Operations can Reduce Dwell Time

Email phishing attacks pose a large threat to every organization around the world and make up 91% of all cyberattacks.1 The most effective way for organizations to reduce their risk is to ensure that all aspects of their phishing program are focused on resiliency and preparing for the attacks that have the highest likelihood of reaching them. Suggested metrics to define and understand include human resiliency, mean time to detect (MTTD), mean time to respond (MTTR), and dwell time.

While MTTR falls under the purview of Security Operations and is a central focus in analyzing and remediating attacks, MTTD also should be considered and is often a secondary metric. To fight email phishing attacks, both metrics must be primary objectives of the Information Security program. The Security Awareness function can make an impact to these metrics by increasing the resiliency of the humans at the organization to ensure that the threats bypassing traditional email controls are quickly recognized, reported, and placed in the hands of the security operations and response teams.

The first step to reducing dwell time is improving MTTD and can be accomplished by conditioning your employees to be the first line of defense by becoming human sensors to report any email they suspect is malicious. Most security awareness programs focus on susceptibility, a measure of how many employees click on a simulation. Instead, security awareness programs should focus on resiliency, which compares the number of employees who reported the simulation to the number of employees who clicked the link. Email phishing attacks can only be removed if Security Operations is aware of them – positioning Security Awareness in the center of Security Operation’s strategy.

The second step to reducing dwell time can be accomplished by enabling Security Operations to analyze the most-likely malicious emails first. While increased reporting rates are a positive change and increase visibility into the threat landscape, it also means threat analysts must spend more time reviewing emails for actual attacks. Various email security vendors provide tools for Security Operation Centers (SOCs) to respond to reported emails, but don’t provide the best approach. While most organizations take an approach of “scoring” threats based on their internal threat intelligence, this does not account for the power of your internal reporters. With highly trained employees as the first line of defense, they become the best “eyes” of an organization, and employees with the highest likelihood to spot a phishing email should have their reports analyzed first. Combining threat scoring and reporter scoring further emphasizes the importance of Security Awareness while making it easier for Security Operations to stop email phishing attacks.

Security Awareness is more than compliance – it is an integral part in reducing dwell time of the most active and successful threat vector facing every organization – email phishing attacks. With Cofense Phishing Detection and Response (PDR), organizations can create a partnership between the Security Awareness and Security Operations teams. Cofense enables Security Awareness to build resiliency across their organization with simulations derived from real phish that are updated every month and is the only vendor that delivers simulations when an employee is active in their inbox, doubling report rates across our customer base. Cofense PDR takes these reported emails and automatically helps analysts in SOCs sift through the noise by scoring reported emails based on indicator of compromise (IOC) scoring and “reporter reputation,” enabling threat analysts to investigate reported emails from employees with the greatest track record of reporting real phish. It is time Security Awareness takes its rightful place next to Security Operations as partners in reducing dwell time and keeping email phishing attacks out of employee inboxes.

Monkeypox Phishing: Outbreak Becomes Latest Lure

By Elmer Hernandez, Cofense Phishing Defense Center

As the world recovers and learns to live with Covid-19, use of the pandemic as a phishing theme has started to wane. However, public wariness and anxiety surrounding an emerging medical concern will remain exploitable. Enter the current monkeypox outbreak. The Phishing Defence Center (PDC) has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.

In the last week at least two PDC customers have reported emails such as the one displayed in Figure 1. Both the employee’s and company’s names change depending on who is targeted, but the email body stays the same.

The pretence is similar to what we have already seen with Covid-19 themed phishing emails. It opens up mentioning updates from reputable health organizations to give the impression of veracity and seriousness. It stresses the importance of keeping staff and the company safe, in an attempt to make the employee feel like they share part of the collective responsibility. Finally, it asks all employees of the company to comply with mandatory safety awareness training.

Figure 1 – Phishing Email

Users are taken to a compromised website and are directed to either a spoofed domain or already compromised website. Looking at the URL, it’s clear the threat actor wanted to add validity to the page by naming the directory as “health”. It is the standard Microsoft credential phishing otherwise. It first asks the user for the email address (Figure 2) and subsequently the password (Figure 3), adding confidence this is necessary due to the sensitive nature of the information being accessed. Once the user has provided all credentials a confirmation page appears for a few seconds (Figure 4) before being redirected to the real Office 365 website.

Figure 2 – Phishing Site

 

Figure 3 – Password

 

Figure 4 – Confirmation

IoCs
hXXps://rawshan[.]com/health/

BEC Insights: The Need for Better Business Controls

Author: Tonia Dudley

In our 2022 Annual State of Phishing Report, we observed the Business Email Compromise (BEC) threat category inch up from 6% to 7% of overall threats, with the Healthcare sector still leading the way at 16%. With increased attention and speculation around BEC, otherwise known as CEO fraud, Cofense CTO & Co-Founder, Aaron Higbee, BEC specialist and Principal Threat Advisor, Ronnie Tokazowski, and myself sat down to go in-depth on our findings and insights around this threat.

One of the highlights from this webinar was a new tactic we recently observed at Cofense related to direct deposits. As you can see from the message below, this threat actor leverages what many companies use as a best practice, utilizing self-service to update direct deposit information, making this tactic more effective.

This is just one of many samples highlighted in the webinar. Below is a brief list of takeaways and topics discussed. You can hear the entire discussion on demand, plus register for additional annual report webinars on topics such as Secure Email Gateways and Ransomware.

Key Takeaway #1 – Evolution of the Threat

In late 2015, Cofense first wrote about BEC as we ourselves observed our CFO received a spoofed email from our CEO, Rohyt Belani, asking for a wire transfer. As we continue to follow the tactics related to this threat, as with any other threat, threat actors have constantly adjusted their templates to minimize the detection of the secure email gateway (SEG) and spam filters. Many of the conversational starter emails are quite vague and take 2-3 follow emails to lure the recipient to execute the desired task (i.e. purchase gift cards).

Key Takeaway #2 – Top BEC Threats for Enterprise

We dig a bit deeper into each of these topics on the webinar, but these are the top themes we have observed related to BEC.

  • Invoice Fraud – this isn’t surprising as we continue to observe this is a top theme for threat actors to gain access to one of their top objectives – MONEY.
  • Thread Hijacking – nothing adds more creditability for a recipient to interact with a threat actor than an email chain that appears as three threads deep into a conversation.
  • Gift Cards – while this threat tends to be small in currency, it tends to cost the employee directly as they’re unable to get reimbursed for this inadvertent purchase. Threat actors tend to make their request for gift card brand based on the exchange rate on the bitcoin marketplace.
  • Direct Deposit – also known as payroll diversion, where the threat actor attempts to redirect your paycheck to their bank account instead of yours.

Key Takeaway #3 – Ways to mitigate against BEC

We closed out the webinar with a few quick actions you can take to help protect your organization against this threat.

  • Education. While we promote the optimal way to train your employees against phishing threats is phishing simulation campaigns, this threat is a bit more difficult to train using this methodology. When it comes to BEC, use your security awareness newsletters to include this topic, as well as real email images observed by your organization. By sharing a real email, it makes the threat real to your users.
  • CEO Messaging. Ensure that your users understand that your executive team isn’t going to ask them to get gift cards to award clients or their family members. Be sure to include this in your New Hire Orientation (NEO) onboarding as this group of your employees are likely to be as familiar with your business practices or executive team.
  • Implement and Enforce business process changes. When it comes to BEC, victims of these threats are all linked back to a breakdown in business controls to prevent large amounts of cash to be sent out of the organization.

SEG Effectiveness: Three Takeaways from the 2022 State of Phishing Report

Author: Tonia Dudley

Earlier this year, Cofense released its 2022 Annual State of Phishing Report highlighting insights and analysis seen in customer environments. One major takeaway, the amount of phish that continue to bypass Secure Email Gateways (SEGs). To provide more insights on this topic, Cofense CTO & Co-Founder, Aaron Higbee, and myself sat down to go in-depth and highlight findings on SEG misses.

While organizations analyze data across industries to see how they compare against peers, we also recommend you compare your organization against your technology stack. As you tune your security controls and SEG, are you able to detect and respond to new threats as they land in the inbox?

Figure 1: New Behavior for QakBot

Key Takeaway #1: Threat Actors tune their tactics.

As SEGs tune for file attachment threats, which continues to show low inbox hits, Cofense continues to see new file attachment types used to bypass the SEG. These odd file types may appear obscure to your user surfing their inbox, but often times these odd file types are very much still recognized by native Microsoft Windows endpoints. Along with odd file types, we stay abreast of new behavior tactics used by threat groups. The email in Figure 1 is related to the known QakBot malware family, but this particular campaign switched their tactic by directing the recipient to click the link that is a download of a zip file. However, when the recipient interacts with this zip file and extracts the .MSI file, QakBot is then launched onto the device.

Key Takeaway #2: The top file attachment type landing in the inbox.

Threat actors continue to leverage the one file type they know will land in the inbox and likely get engagement from the recipient – HTML / HTM files. This file type can be difficult to mitigate by configuring a hard block as many legitimate business applications or SaaS solutions use this file type. Look for ways to mitigate this risk by working with the business owners to identify the recipient population that need to receive these emails. Then provide resources that allow your users to validate a legitimate service that send this file type. The best way to condition and prepare your organization to identify and report this threat is to use this file type in simulation phishing campaign.

Key Takeaway #3: Microsoft updated Office file types – did you?

Not only are odd file types being leverage, but what about file types that have been sunset. I don’t know about you, but I’m not sure the last time I used an MS Office product that didn’t add the ‘x’ to file extension (.xlsx or .docx). This can be a simple configuration to add these to archived file types to your block list and minimize the risk of these files landing in the inbox.

As we closed out the discussion on odd file types and opened the floor for questions, we received a question that has been a discussion point lately as organizations are looking to focus their phishing defense programs.

What are you using to measure the effectiveness of your phishing defense program?

Tune into the recording for our summary and stay tuned as we publish more recommendations on this topic.

Threat actors are continuing to use emerging tactics and techniques to bypass traditional email security solutions and the only way to stay ahead of the curve is to have a comprehensive phishing defense strategy. If you’re interested in a more detailed analysis of SEG effectiveness, BEC insights or catching ransomware at the phishing stage, sign up for our upcoming webinars.

Hackers Utilize SwissTransfer To Deploy Phishing Scam

Author: Kian Maher

In recent weeks, the Cofense Phishing Defence Center (PDC) has noted a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. A common vector and preferred vector for attackers, file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.

Figure 1: Phishing Email

Based in Switzerland, this file sharing service has been seen mostly in attacks against users of German speaking nations. The file sharing capabilities and clean image of the site can easily trick a user into downloading a file they believe is legitimate and from a known contact; however, with the ability to add any alias to a sent file, impersonation becomes exceedingly easy.

Navigating to the link on the email will present the user with a legitimate SwissTransfer download page where a PDF file named “Portfolio Control GmbH.pdf” can be downloaded by the user, as seen in Figure 2.

Figure 2: File Download Page

Once the file has been downloaded, and the recipient opens the PDF, clicking on the link will redirect the user to a Microsoft login page.

Figure 3: PDF Document

The login page spoofs the standard Microsoft layout and the only indicator that something is amiss is the URL seen in the address bar.

Figure 4: Landing Page

Beware of emails coming from legitimate services such as SwissTransfer, WeTransfer and Microsoft OneDrive, as phishing attacks are constantly evolving and are becoming more convincing and complex by the day. Equally as important is to ensure the same password is never used for more than one account. Additionally, never perform any password resets or account retrievals outside of the legitimate website of any email provider you use or through a corporate environments’ approved methods.

Malicious emails like this are a constant threat in the enterprise space due to constant use of services such as Microsoft Outlook and it is important that users are made aware of this so that they can be more vigilant when receiving emails. With Cofense suite of products and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Find out what we can do for your enterprise.

IOC IP
hXXps://www[.]swisstransfer[.]com/d/3835eb76-db5c-4e5a-9aa6-044bac8b46ce 185.125.25.5
hXXps://microsoftonline[.]gonset-holdings[.]ch/common/oauth2/v2.0/authorize 190.123.44.153
64.98.145.30

Cofense Earns 2022 Top Rated Award from TrustRadius

Cofense PhishMe recognized for Security Awareness Training category based on excellent customer satisfaction ratings

Leesburg, Va. – May 19, 2022Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions, today announced that Cofense PhishMe™ has won a 2022 Top Rated Award by TrustRadius in the security awareness training software category. Top Rated awards help distinguish products that have excellent customer satisfaction ratings and are based entirely on end user reviews.

Current events highlight that mature and effective phishing defense programs must be proactive and constant, as phishing continues to be a key entry point for a majority of cyber attacks. As employees are the front line of defense against phishing, training for employees is one of the most effective ways to strengthen your company’s defense against attacks such as ransomware, malware and Business Email Compromise (BEC). When it comes to preparing and conditioning users to spot and report phish hitting their inbox, the 2022 Cofense Annual State of Phishing Report highlighted a two-point increase in resiliency rate for simulation campaigns and saw a seven-point resiliency rate among organizations that have full phishing defense programs.

“Email threats are not going anywhere. In fact, it’s quite the opposite; they’re only getting worse and continue to dominate as the primary vector behind most data breaches. Threat actors are continuing to use emerging tactics and techniques to bypass email security technologies and the only way to stay ahead of the curve is to have a comprehensive email defense strategy,” said Rohyt Belani, CEO of Cofense. “An effective email defense program operates at the intersection of human intelligence and artificial intelligence. A critical mass of vigilant humans who report suspicious emails are critical to feed machine learning powered technologies so the latter can continually evolve and create a self-healing email security system. Security training or email security technologies in isolation are not going to work.”

Cofense PhishMe, a SaaS platform trusted by over 2,500 organizations across multiple industry verticals, uses intelligent automation, advanced algorithms and active threat scenarios to reinforce positive security awareness behavior. The training brings real, active threats into realistic phishing scenarios to ensure program relevance and to provide users with insights that can help them to navigate the modern threat landscape.

To qualify for a Top Rated award, a product must have 10 or more recent reviews from the past year, a trScore of 7.5 or higher based on TrustRadius’ algorithm that calculates a product’s scores based on a weighted average of reviews and ratings, and show relevance by having earned at least 1.5% of the site traffic in the category. Cofense’s TrustRadius reviews can be viewed here.

To learn more about Cofense, please visit www.cofense.com.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Phishing Takeaways from the Conti Ransomware Leaks – Part 3

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 3, we discuss elements of Conti’s phishing tactics and strategy.

Conti Produces Semi-Random Phishing Templates Using Simple Themes

Although the Conti group employs other malware operators to perform the work of sending malicious emails, it appears that the group provides the templates to use in the emails. Several English-language templates were included in the leaked Jabber chats, indicating a system that randomly chooses words or phrases from short lists. The templates included text that could produce a variety of wordings for email subject lines and bodies, along with a list of attachment names to choose from. Conti member “Lemur” contributed the following order-themed template in October:

lemur:

{Greetings|Hello|Good day|Good afternoon}{!|,|}

{Thank you for|We are grateful for|We are grateful for|Many thanks for} {your|your recent} {online order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} TRANSFER NUMBER. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}.

{Total|Full|Whole} {order|purchase|payment} SUM

You {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} CHECK NUMBER {in|in the} {attached file|file attached}.

{Thank you!|Have a nice day!}

Subjects: Your {order|purchase|online order|last order} Purchase order number payment {processed|obtained|received}

Attachments:

ord_conf

full.details

compl_ord_7847

buyer_auth_doc

info_summr

customer_docs

spec-ed_info

Dozens of other templates appeared in the chat, with themes including invoices, shipping, payment processing, legal matters, and other business-centered subjects. In a TrickBot chat exchange, two team members discussed a more personal template impersonating a woman looking for a relationship. They went through several revisions, even incorporating feedback from an English teacher.

Conti Actively Develops and Tests Email Delivery Tactics

The spammers who work in and with the Conti organization showed familiarity with automated defenses against malicious email campaigns. In November 2021, “wind” discussed a way to abuse browser-centric email providers to send malicious emails:

wind: […] it will be necessary to create thousands of such docker containers and send only 10 letters from each mail account, sent by an AI emulator with mouse movements simulating human ones. Every mailer now has an AI, it recognizes all the movements in the browser, and their AI will just laugh out loud at the get requests to send hundreds of thousands of emails.

Another message from April 2021 shows an operator testing their emails on webmail platforms Gmail, Yahoo, Outlook, Mail.com, and AOL Mail. They included screenshots showing that an Apple-spoofing email had arrived in each of the inboxes.

A test of an Apple-spoofing email in a Mail.com inbox. The inbox includes several other test emails.

Phishing is Central to Conti’s Attack Strategy

Conti operators consider humans to be an effective target, and phishing is their mechanism for exploiting the human target surface with social engineering. Their “Hacker’s Quick Start” document lists dozens of OSINT sources to use, singling out people as “the weakest link.” The reference to “previously opened networks” indicates a repository of already-compromised data that can be leveraged against new targets.

Next, we look for the weakest link (see below).

Social engineering requires knowledge of personalities.

Everything is important: phone numbers, place of residence, dog’s name, hometown, favorite color, favorite band, hobbies.

Of particular importance: your candidate’s personal network of contacts, especially business contacts.

The structure of organizations reflects the structure of society.

As you move from one person to another through a network of contacts, you can change your entry point within one network, or open up new networks.

Both OSINT intelligence tools are used to gather information,

and information found in previously opened networks about contacts (Outlook address books, correspondence, etc.).

[…]

This data is then used either through phishing emails or phone calls.

In both cases, the load is triggered by a person.

Some of our previous takeaways highlight Conti operators’ consistency in dropping ineffective tactics and persisting with effective ones:

• TrickBot was effective enough for them to enjoy a tremendous amount of success early on, but when it started to cause too many problems, they shifted to other malware families.

• Despite all the attention, they used the BazarCall campaigns, knowing that the invoice theme would likely continue to succeed.

• They went to the trouble of bringing Emotet back, likely because it had been such a significant source of infections for them prior to its takedown.

This pragmatic approach accentuates the value that ongoing phishing activity must be providing to Conti operations. Given all of Conti’s investment in OSINT, email operations, and reviving Emotet distribution, phishing is clearly one of the group’s most important tactics, and it will likely be a staple for the group in the foreseeable future.

For more insights on Conti ransomware operations:

Phishing Takeaways from the Conti Ransomware Leaks – Part 1

Phishing Takeaways from the Conti Ransomware Leaks – Part 2

5 Tips to Thwart Business Email Compromise (BEC) Attacks

Author: Ronnie Tokazowski

For the 7th year in a row, Business Email Compromise (BEC) is the number one cybercrime, as reported by losses, according to the FBI IC3 Report. Topping in at an astonishing $43 billion dollars with victims in 177 countries and money being wired between 140 different countries, it still amazes me that people are more concerned about ransomware and nation-state attacks instead of murderous BEC actors killing in the name of evil spirits.

To add insult to injury, the same actors behind BEC are responsible for $100 billion in SBA fraud and $80 billion in paycheck protection plan (PPP) fraud. This doesn’t even begin to touch the dozens of consumer-based crimes such as check fraud, advanced-fee fraud, or romance scams, with over $223 billion now tied back to the exact same scammers.

And that’s just what we know.

Reflecting on the seven years of tracking BEC, there’s one major lesson that organizations fail to do. It has nothing to do with a shiny box, has nothing to do with buying or selling a service. It’s literally reviewing what you already have.

Here’s your BEC checklist that will mitigate 80% of attacks:

  • Review your financial processes and procedures
  • Define how wire transfers, gift card purchases, and direct deposit requests work
  • Once defined, communicate & follow the process

Most BEC attacks are successful simply because a process breaks down. Someone wired money without checking if they should, a random phone number led to gift cards being sent out, or HR made a one-time exception to update payroll via email instead of pointing employees back to employee portals. The 80% solution to mitigating many types of BEC attacks is simple: review your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.

Here are five tips to get you started on which processes need to be updated:

  1. Maintain a list of known and trusted phone numbers to verify wire transfer requests.
  2. Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
  3. Establish a gift card purchasing process, and if no one needs to purchase gift cards for the company…then no one purchases gift cards.
  4. Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship. If an account needs to be changed and updated, who is responsible for verifying the new account with an external party? Implement a freeze period to the account update to ensure the bank can verify ownership details.
  5. What is the process for wiring $10,000 / $50,000 / $100,000+ dollars out of the organization? Define and follow a multi-person process to verify transactions before money gets lost.

While updating processes won’t cover every single BEC use case, a vast majority of attacks can be thwarted with these simple changes. Is it better to take a week to do the boring work of reviewing your processes and procedures or be an unhappy part of the $223 billion dollar statistic?

If you want to learn more about BEC statistics that we observed in 2021, as well as ways to mitigate this attack, sign up for our next webinar focused solely on BEC attacks.