Beware of fake emails opening doors to cyber crime

By Christopher Chazin, SVP, Head of Treasury & Trade Products & Services, Commercial Banking

There's no escaping email as part of daily communications at home and at work. And with email being a critical tool for business operations, the sheer volume can be overwhelming with research estimating users average 121 emails a day.¹ That’s a lot for busy executives and workers to manage.

Crowded inboxes give cyber criminals ample opportunity to target unsuspecting employees with attacks like phishing. These are fake emails from seemingly legitimate sources that invite recipients to click on a link or download an attachment, either of which can release malware into the company’s networks.

As cybercrime tactics continue to evolve, organizations must worry about a more targeted form of phishing attack: Business Email Compromise (BEC). This method differs from other phishing attacks as it usually does not contain malware, malicious links, or email attachments.

Instead, cyber criminals send emails to specific individuals inside an organization through impersonation, personalized to the intended victim. They aim to get recipients to share confidential information, such as passwords and other credentials, that can be used to steal sensitive data like bank accounts and access financial software.

Billions in losses each year

Annual BEC losses are estimated to be in the many billions of dollars: the FBI’s 2023 Internet Crime Report² cites 21,489 reported BEC attacks, amounting to $2.9 billion in losses. And that total might be understated: since the U.S. Department of Justice estimates over 85% of cybercrime goes unreported, BEC losses could exceed $16 billion a year.

The primary goal of BEC attacks is to deceive busy business owners and their staffs into transferring money or sensitive information to the attacker. Perpetrators typically have one of these four objectives in mind:

1. Financial Gain: Attackers often impersonate executives or trusted partners to trick employees into making unauthorized wire transfers or payments.
2. Data Theft: BEC attacks can also aim to steal sensitive information, such as employee data, financial records, or intellectual property, which can be sold or used for further attacks.
3. Credential Harvesting: Some BEC attacks focus on obtaining login credentials to gain unauthorized access to company systems and data.
4. Supply Chain Attacks: By compromising email accounts, attackers can manipulate business transactions and intercept payments intended for legitimate vendors.

Because BEC emails will try to impersonate a business owner, CEO, vendor, or an employee, they take advantage of human trust rather than technical vulnerabilities, which makes them especially challenging to defend against – even more reason to be vigilant.

Often, they will try to convey a sense of urgency and confidentiality. Other criminal tactics like exploiting SMS texts and voicemail to perpetrate fraud, known as smishing and vishing, can also be a problem. Keep in mind, too, that many cyber criminals will impersonate a delivery service, especially around holidays, to get recipients to respond with privileged information.

How to reduce BEC risks in your business

Businesses can take several steps to prevent BEC attacks as well as other types of email schemes, such as phishing exploits and ransomware. The latter can be especially troublesome because a successful attack can shut down business operations by encrypting an organization’s data until a ransom - often in the millions - is paid to the attackers. Even then, the data might not be released or could be altered during the attack.

For all these reasons, here are some key safeguards all businesses should consider:

• Train employees. To protect against BEC attacks, employee training and awareness-building are critical. Both new and long-time employees need to know that unencrypted emails are generally not secure and how to recognize suspicious emails. If they do encounter a suspicious email, especially urgent ones asking for sensitive information or financial data, they should call a trusted known contact to validate the request. If an email seems out of the ordinary, it may well be a spoof. Employees should also know where to report a suspicious email, such as an IT help desk or other central resource.
• Establish multi-factor authentication (MFA). Set up an MFA system for employees to access their business email accounts and, perhaps more importantly, any critical business systems that contain sensitive data. This extra layer of security, which requires an additional form of verification such a one-time passcode (OTP), makes it much harder for attackers to gain unauthorized access. Also, require periodic password changes, such as every 60 or 90 days. Consult with companies that specialize in automated identity and access management tools to ease the burden on IT personnel.
• Authenticate inbound email. Email security protocols are available to verify the legitimacy of email senders to prevent spam and phishing. The main ones, familiar to IT security professionals, offer complete anti-spoofing protection for business email, which minimizes the risks of BEC attacks when implemented properly. A knowledgeable IT person or consultant can help a business set up these safeguards.
• Audit email security regularly. Regular audits of email security practices and updated policies to address new threats can go a long way toward preventing BEC. For instance, many organizations conduct phishing simulations by sending employees fake emails and then tracking how many open them. Some email security solutions can review server logs of unusual login locations or patterns. Additionally, penetration testing (aka "pen testing") that simulates a cyberattack can reveal vulnerabilities that can be addressed before a successful attack occurs.

Of course, remind your employees that no one from TD Bank will never email, text, or call them for account information or user credentials.  We're here to help and will work with you to identify fraud mitigating solutions for your business, just stop by any TD Bank location or call 1-888-388-0408.

RESOURCES

• Click here for fraud tips to keep your business safe.
• Click here for fraud terms you might not know.
• Click here for tips to avoid payment fraud and cybercrimes.
• Click here for additional guidance on fraud prevention.

Member FDIC, TD Bank N.A.