When most organizations think about computer hacking, it tends to be in high-level, advanced technology terms. Screens of green cascading code, Matrix-style, and the most sophisticated software and methods that currently exist. The hacker has entered the public and the corporate consciousness as a shadowy figure, capable of remarkable feats of programming, essentially a computer ninja.
However some of the most successful and lucrative hacks these days are far more low-tech and rely on social engineering, trickery, and basic human nature, rather than complicated hacking.
Spoofing emails have become one of the most problematic cases of fraud for businesses, and are increasingly difficult to guard against. At their core, they are devastatingly simple.
An email comes in from the company Chief Executive to the finance officer, confirming an agreement has been reached and requesting the transfer of previously agreed funds to a specific account to seal the deal. The finance officer acts on the CEO’s instructions, sends the money and thinks nothing of it.
It is only later when it turns out that the money has never made it to its proper destination, and the CEO knows nothing about the confirmatory email, that the hack and the fraud is discovered.
Last year a company lost $8 million in exactly this fashion, while 281 suspected hackers were arrested in 10 different countries in global operations against cybercrime of this nature. As of 2019, an estimated $26billion had been lost to these sorts of emails over the last three years, according to the FBI.
The scams are known as CEO fraud or Business Email Compromise (BEC), and the effectiveness of this fraud lies in its simplicity. Hackers simply spoof the CEO’s email address, and target junior members of staff with an urgent message, but giving them no cause for alarm. Who would suspect a fraudulent email from their CEO?
BEC hackers have a good sense of how their targets work, aiming for less protected members of staff, and sending emails at specific times of the day and week when people are less likely to be vigilant. When dealing with your weekend backlog on a Monday morning there’s far more chance of you overlooking something slightly off, particularly if it’s before your morning coffee!
CEO fraud is not just limited to dodgy emails, either. The huge improvements in artificial intelligence have allowed scammers to use voice technology to convincingly imitate senior members of staff in an organization, and carry out similar attacks and scams over the phone. These are even more dangerous, as while you MIGHT be suspicious about an email if your boss rings you and tells you to get a money transfer done asap, you aren’t going to question it!
So what can organizations do about these low-tech yet sophisticated hacks? Safe words for CEOs to verify identity are something we recommend. Giving senior members of staff a particular code that confirms significant decisions, like large money transfers, can head off the worst of the attacks.
More than anything, employee education and awareness are fundamental. As with so many cyberattacks, even ones which are far more technologically sophisticated than BEC attempts, the key often hinges around human error, or even just normal human behavior. Training staff about the latest cybercrime techniques, and teaching your employees to question everything and always adhere to protocol is vital in protecting your business against hacks, fraud, and cybercrime.
For more information on the latest hacking techniques and cyber attacks, get in touch, and speak to CompuVision’s team of experts. We can provide advice and assistance for your business, help protect your organization, and prevent the worst from happening.