While working at any organization, the chances are that you've had an email ID assigned to you. Employees use it for all purposes - whether it's with clients or any internal communications.
The streamlined communication, however, comes with its own set of issues that cost them billions of dollars. What exactly is the issue with these email IDs?? Can it be resolved? Should employees be scared? Today, we'll dive deep into business and vendor emails and how they affect organizations around the world. What are Business and Vendor email IDs?
Before we explain the issue, let's briefly overview what we're dealing with. Business emails, as the name suggests, are email IDs provided by organizations to their employees. It has its own domain name at the end of it. This helps employers manage the email infrastructure better and also maintains the credibility of the employee. Vendor emails are pretty much the same, but instead of employees, they are used by vendors who deal with different stakeholders. Let's explain this with an illustrative example, Gerard is an employee at Cybercrypt with a business email ID: firstname.lastname@example.org (Note: Domain name is the company name) He is responsible for the payments department. Cybercrypt has a vendor Wirescript who provides them with, you guessed it, wires for their cybersecurity infrastructure. With this example in mind, let's head to what could go wrong in this entire system. What's the issue with business email IDs?
The problem at hand, in a word, are "scams." In an explanatory manner, it's a Business Email Compromise. (BEC) This cybersecurity attack involves the impersonation of an employee, usually at a higher rank, for more authority and damage. They may get control of their email IDs by using malware or phishing attacks. And in some cases, make a small change to the email ID, making it as close to the official one, hoping that the recipient doesn't notice it. They would use this to get further data or financial favors from employees. And this attack is performed over some time, so it would be well-researched.
Let's take, for example, Anna, the CEO of Cyberscriptered, sending an email to Gerard about making a bank transfer immediately to a client in a new bank account. Gerard didn't notice that the email ID was email@example.com instead of firstname.lastname@example.org. The urgency of the email made him transfer the amount. As we mentioned, the higher the rank of the impersonated individual, the more likely the transaction will occur. One misstep, and poof! The money has been sent into the accounts of cybercriminals. How bad is it? In 2021 alone, business email compromise cost companies around $2.4 billion, as per an Internet Crime Report by the Federal Bureau of Investigation (FBI). That's a huge loss through scams.
And vendor emails? The problems are similar but have more elements to it which we'll uncover below. What's Vendor Email Compromise (VEC)?
As you would have guessed, it is a type of BEC where the cybercriminal takes over a vendor account. Let's say the payment department of our illustrative vendor Wirescript has their email ID compromised with Social Engineering tactics. The hacker did their research and knows exactly when they send an invoice to Cyberscriptered. The hacker sends an email to Gerard on the exact same day but tells him to reroute the payment to another account. Gerard had already gotten into trouble earlier, so he checked the email ID, and it was the right one. The payment was sent through; this is how vendor email compromise scams operate. In most cases, the companies don't crosscheck the invoices. This is especially true in bigger companies that would go through hundreds of such invoices every month. The average amount requested in wire transfer BEC attacks increased from $48,000 in Q3 2020 to $109,467 in Q2 2022. (SOURCE) That's a whopping 128% increase! So, it's no surprise that this isn't going away anytime soon. What can companies do to prevent these VEC attacks? The most critical aspect is to raise cybersecurity awareness in the organization.
These attacks are successful as they operate more on human emotions and errors than computers. Unless employees know these things could happen, they wouldn't aware enough to avoid it. Some actionable tips would be -
Turning on Multi-factor Authentication for all company email IDs. This serves the purpose of additional security, even in the unfortunate case where an employee's credentials are stolen. The hacker would be unable to access the emails or system without the MFA being completed. Also, setting up a strong password is always the best practice.
Guidelines for Vendor Payment or any fund transfer. Before any monetary transfer, no matter how urgent, the source and identity of the vendor/receiver should be confirmed. One way could be calling VERIFIED phone numbers to confirm urgent requests before transferring funds. This should be done if there is any change in the receiver's banking details. It may sound inconvenient, but it's better than wrongly transferring funds. Also, try to choose trusted vendors who also follow strict cybersecurity protocols.
Leave it to the experts. Even after taking up the best measures, data leaks could leak employees' credentials and cause financial damage. You could choose professional services like those of MailToken, which is a product of MailSPEC (CHECK PRODUCTS) Our ANSSI-certified security products would bring peace of mind.
Ever since things have moved to a hybrid and remote working environment, cyberattacks have skyrocketed.
You shouldn't be scared, but you definitely NEED to be more attentive compared to Gerard from Cyberscriptered.
The business isn't going anywhere, nor are the business emails or the cybercriminals. However, taking precautions and signing up for the right services can prevent catastrophic damages to companies with BECs and VECs.