A company lost one million dollars after some of its customers fell for a business email compromise (BEC) scam.
Check Point's Daniel Wiley and Mark Dropkin first heard about the incident a few weeks back. At that time, the company reached out to Check Point and explained that an attacker had compromised the credentials of one of its employees in the Finance department. They then abused those credentials to gain unauthorised access to the employee's account and send out emails requesting that the company's customers send their payments to a bank account operated by the attackers.
Some of the customers complied, which resulted in the attackers making off with one million dollars owed to the company.
Wiley and Dropkin elaborate on how the attackers obtained the employee's credentials:
"Since the client outsources its mail services to a cloud mail service provider, only the provider can investigate such an attack. Taking our advice, the company requested the logs for the user in question. The cloud provider claimed the credentials were stolen by a drive-by attack, but did not provide any information about how it reached this conclusion. Regardless, the end result was that somehow an outsider gained access to the mail system and was able to instigate the diversion of funds."
Since October 2013, the FBI has received complaints from more 22,000 different companies detailing how attackers compromised their employees' email accounts and abused that access to issue fraudulent wire transfers.
Those scams cost victims a total of $3.1 billion worldwide.
Fortunately, where there's a scam, there's always a way to defend against them.
Companies can protect against BEC scams by developing security policies that, for instance, require customers to finalise a payment over the phone. To enforce those polices, they need their employees' full cooperation. They also need to train their workforce about the threats of phishing and ransomware attacks.
Does this type of educational program sound of interest to your organisation?