Page 70 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 70
Before conducting these BEC schemes, the threat actors do their homework. They peruse the company
website, social media pages, media coverage, and other publicly available data sources to collect
information on their target organization. This research may include details about executive and high-level
employees, new hiring announcements, travel plans or similar out-of-office notifications, company news,
and other notable projects or events. In the CEO fraud example, they will identify key targets and spoof
a trusted persona to ensure the best chance of success. These scams have even evolved to include
SMS text messages, personal emails or social media accounts, and personal devices, such as cell
phones.
Cybercriminals use the information collected to target employees and persuade them to divulge
confidential information or sensitive data that bad actors may use for fraudulent purposes.
BEC's common goals include convincing employees to click on a link and provide log-in credentials, send
sensitive data, perform a financial transaction (wiring money, purchasing gift cards), or open malicious
attachments.
Other types of Business Email Compromise:
CEO Impersonation: as mentioned above, this tactic involves spoofing a message from an executive,
requesting employees perform some action, such as sending a wire or other financial transaction,
providing employee W-2s, purchasing gift cards, etc.
Fake Invoice Scams: attackers spoof an email with an invoice from a vendor or 3rd party that an
organization regularly works with, but with updated payment information
Data Theft: HR Personnel are targeted to obtain sensitive data such as employee or company tax
information, or attackers pose as employees and send new payroll direct deposit instructions
Account Compromise: Email accounts are compromised and are used to send out invoices or requests
for payment to attacker-controlled accounts.
If an employee falls for these tactics, it could result in damage far beyond personal embarrassment.
Providing passwords to bad actors, sending funds or sensitive data to an attacker, and ransomware
delivered through the click of a link can all have wide-reaching effects on the entire organization.
Implementing Comprehensive Cybersecurity
We often come back to the pillars of comprehensive cybersecurity: leveraging people, processes, and
technology to defend against current and future threats. Applying an adaptable approach to CEO fraud
and other BEC scams can go a long way in protecting organizations from evolving tactics, especially with
the new challenges of working in a hybrid or remote world.
Employees are often the first and last line of defense against cyberattacks like BEC. They should receive
proper training and guidance to recognize and respond to potential threats. Conducting cybersecurity
70