In May of 2022, the FBI published a report stating that Business Email Compromises account for over $43 Billion in losses Internationally. In the “2022 State of Email Security Report” from Mimecast, a polling of 1400 organizations showed that 96% of the participants had experienced targeted phishing attacks with 79% of organizations seeing heavier email volume and 75% seeing an increase in email-based threats overall.
Based on these reports, phishers have tapped into a highly lucrative income stream, and they are able to continue to profit simply by sending millions of emails out a day with the knowledge that it only takes one click to gain a potential financial windfall.
How does an organization protect itself from this extremely prolific attack vector? Protecting your company from phishing starts with the basics which include greater employee awareness of the threat via mandatory company-wide cyber security training, ongoing phishing simulation training and finally, good cybersecurity hygiene best practices such as using Multifactor Authentication, named user accounts and no password reuse across sites. Additionally, users must be trained to never take financial actions (like sending a wire transfer or changing the direct deposit details for a person) based on just an email alone. Businesses should adopt a hard rule that requires an individual to contact the sender of a message requesting financial action at a known good number (like from the company website) to verify the legitimacy of the request.
Phishing awareness training to include phishing simulation is one of the most effective methods of helping your staff understand the threats that they face while also helping them spot the red flags commonly associated with phishing scams. These red flags can include grammatical errors, emails sent well outside of normal business hours, emails claiming to be from a high-level executive within the business asking you to do something urgently like buy gift cards, or links that resolve to illegitimate sites when you hover over them. While these red flags may seem obvious enough, remember that cyber attackers know the value of a well-crafted phishing message and they are working hard each day to make their malicious emails harder to spot. As hackers become more advanced, so must our methods of thwarting their attacks.
Outside of phishing simulation and cyber security awareness training, solid cyber hygiene habits are the next best line of defense against Business Email Compromises. These best practices include using Multifactor Authentication to further protect your accounts, ensuring that each email user is unique and not a generic account used by multiple individuals, and ensuring that you are using unique passwords across websites rather than using the same password across the board.
If you would like to learn more about how to protect your business from Email Compromises, please contact us as we would love to help implement the solutions and best practices mentioned above.