One of the largest insurance companies in the world has reported* that business email compromise (BEC) now tops the list of cyber threats. In 2017, BEC accounted for 11% of cyber security insurance claims. That number grew last year to 23%, with ransomware in second place at 18% and data breaches by hackers or employee negligence at 14% in third.
The report highlights our trust in emails and its availability on multiple devices as the main reasons why there has been such an increase. With more sophisticated phishing emails being sent, the rise in this form of hacking has been reflected in a rise in insurance claims.
Common tactics used by hackers involve using a CEO, director or senior manager’s name with a spoof email account or posing as a supplier sending through information or an invoice. These emails can be very convincing with logos, names and even different spelling for US or UK victims. In short, cyber criminals are using social profiling in emails to convince their victims of their authenticity.
What is social profiling?
Cyber criminals scour the internet and social media sites to gather information on selected individuals to build an impression from words, photos, language, etc. to mimic them online. This practice has been used in the past as a form of identity theft.
When you write an email or social media post, you might write something which is unique to you. The way you start to write an email or the type of greeting you use can depend on which country you’re in, e.g. English v American spellings. This builds a profile of how you engage with others within your professional or personal life.
Criminals don’t discriminate according to the size of the business. They are equally keen to target large multi-nationals, medium-sized and small businesses for financial gain. Professional service firms, such as solicitors, top the list - rising from 18% to 22% between 2017 to 2018. AIG’s report discusses a lack of sophistication when it comes to cyber security used by professional services firms and that criminals target them because that’s where they can make the most money. Financial services are now the second sector responsible for the most cyber claims.
How can I better protect my business?
AIG will be keen for businesses to invest in the correct form of insurance but there are obviously preventive measures that can be taken too. While most businesses are utilising some form of combined anti-virus and firewall protection, we still hear of breaches occurring through compromised emails, so we recommend enabling some form of multi-factor authentication (MFA) to help combat BEC.
Modern MFA solutions use mobile devices as the secondary authenticator to help keep your login secure. This was the topic of an earlier blog by my colleague Chris Wheeler wrote entitled: Why Office 365 multi-factor authentication is the enemy of hackers. You could also consider installing a cloud security service, such as Cisco Umbrella, so you can block suspect domains from infecting your network from any of your corporate devices, whether they are used on or off site.
If you feel you need help in preventing BEC, please do not hesitate to contact me via LinkedIn or via my email address below.
*AIG’s 2019 Cyber Claims Report