Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Inside a Business Email Compromise Operation

A new report from cybersecurity company Agari’s Cyber Intelligence Division outlines the operations of a business email compromise (BEC) gang in West Africa, showing that criminals who engage in BEC online theft can have a diverse portfolio of online criminal activity that they use to build their capabilities, and use sophisticated methods to scam their victims, including businesses and government agencies.

BEC is a cyberfraud tactic in which a scammer will contact a target using phishing emails imitating a fellow employee of the target (often someone in the finance department or management) usually seeking to convince the victim to conduct a business transaction, most likely a money transfer to an account run by the scammer. The scammers may also try to trick their victims into clicking a link in an email or visiting a scam website, which could provide the scammers with the victim’s online credentials or download malware onto the victim’s computer and gain access to their company’s network.

As Risk Management previously reported, Beazley Breach Response Services found that BEC-related attacks cost victims an average of $70,960, but the FBI’s Internet Crime Complaint Center has estimated that the total “revenues” of BEC attacks doubled in 2018 to $1.3 billion. BEC attacks are also extremely common—approximately two-thirds of IT executives are reportedly dealing with them.

Agari’s report, titled “Scattered Canary: The Evolution of a West African Cybercriminal Startup,” shows that cybercriminal gangs diversify their criminal schemes, using their established infrastructure from one type of scam to facilitate others. Agari researchers named the group Scattered Canary and compared it to a tech startup because of its recruitment and expansion strategy. Scattered Canary has pursued a variety of different criminal social engineering efforts, including:

  • Romance scams: Creating a fake online romantic relationship with a victim and requesting gifts, access to their bank or retirement accounts, or services related to other scams.
  • Check fraud: A scammer offers to purchase an item for more than its advertised price with a check (which is fraudulent), then requests that the seller send the extra amount to a third party (a fictional shipping company, for example).
    buy cellcept online blockdrugstores.com/wp-content/uploads/2023/10/jpg/cellcept.html no prescription pharmacy

  • Credential harvesting: Tricking victims into providing their online credentials, including log-in information for online financial services.

Agari says that Scattered Canary built up a network of members and the skills to easily transfer from one scheme to another.

buy zetia online blockdrugstores.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy

The group has used multiple BEC tactics over time, transitioning from tricking employees into carrying out wire transfers from their companies’ bank accounts to convincing victims to buy gift cards that scammers would then cash out via cryptocurrency exchanges.

buy levofloxacin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/levofloxacin.html no prescription pharmacy

More recently, the group has targeted human resource departments to change the direct deposit information for a company’s executive, then cashed out the deposits using prepaid debit cards.

Businesses should train their staff at all levels on how to spot BEC and other types of online scams. If employees can recognize phishing emails and websites, and know not to click links or provide information in response to either, this can protect companies from fraud and significant financial loss. In addition to training staff, the FBI suggests always verifying requests to send money, even if the email requesting the transfer is urgent, by speaking directly to the person who seems to be requesting the money on the phone (using the previously known number, not the one provided in the email) or in person. The FBI also suggests setting up filters that flag email addresses that are similar to the company’s email, and creating an email rule that notes emails coming from outside the company, among other technical steps.

For more from Risk Management about controlling the risks of BEC and other social engineering fraud, check out:

Curb Phishing Damage with a New, Human Approach to Bad Habits

phishing
In the first quarter of 2016 alone, more than 40 organizations, including Snapchat, Moneytree and Sprouts Farmers Market, acknowledged they were victims of phishing attacks. The attacks came via emails seemingly sent from CEOs to their own human resources and accounting departments. In reality, these emails were sent by cybercriminals attempting to steal vital personal and financial information from companies and their employees.

The FBI estimates that phishing attacks have cost companies more than $2.3 billion in losses over the past three years, and since January 2015 alone, the agency saw a 270 percent increase in identified victims and exposed losses from CEO scams.

Recipients who “take the bait” by responding to a phishing email often provide scammers with all the necessary information to perpetrate identity theft, including filing a tax return in someone else’s name. Clicking a link or opening an attachment may also launch malware-intrusive software and seriously compromise the system by initiating malicious background programs.

The stakes are high and regardless of your organization’s size, you are always at risk for an attack. In fact, the Anti-Phishing Workgroup discovers more than 40,000 unique phishing sites targeting about 500 brands per month, while the Department of Defense and Pentagon report receiving up to 10 million phishing attacks each day.

The success of attacks varies, with 30% to 60% of incidents resulting in victimization, according to a 2013 Verizon Data Breach Report. A phishing attempt’s success or failure, however, rests beyond a scammer’s ability to infiltrate the cybersecurity infrastructure of an enterprise.

Your organization’s susceptibility really comes down to your people. Even with training, vulnerabilities depend on a combination of employees’ awareness levels and enduring personal habits, according to research by University at Buffalo (UB).

Companies can implement more effective cyber preparedness measures only when they better understand the ways that their employees think and behave. As phishing attacks continue to evolve and become more sophisticated, the most successful employee cyber defense strategies should involve two critical components: 1) a combination of cutting edge training and testing and 2) support programs to alter the unconscious human behaviors that compromise cybersecurity.

Currently, most businesses train employees to recognize phishing attempts by identifying key elements in an email message, such as finding the sender’s address, noticing hyperlinks and recognizing clues like typos or awkward language. But research has shown that those efforts fail to sustain positive results because organizational training focuses on situational reactions while ignoring employees’ existing habits, which are difficult to break.

For example, an employee may successfully identify suspicious emails when prompted in a training session. When it comes to an average Monday morning, however, opening every email to clear their inbox may be a strong habit that training simply does not offset. Phishing is largely successful for this precise reason. Perpetrators take advantage of individuals who are habitual in the way they respond, despite any awareness they may have developed or gained in training, according to UB findings.

Many employers complement this basic training with follow-up penetration testing to evaluate whether employees recognize the warning signs of a cybersecurity threat in practice. Organizations may send a mock email with red flags that indicate a potential phishing attack, such as a compelling subject line like “Your computer is at risk.” Once opened, the recipient sees that the message is from the employer with a warning about how similar future messages could pose risks.

Penetration testing, however, doesn’t work in the long run because it also fails to acknowledge habitual actions and attempts to change a person’s behavior by simply encouraging them to do more of the same behavior.

Organizations can actually address the bad habits by identifying employees who are most susceptible to phishing and exposing them to higher levels of education with an emphasis on creating better tailored interventions that address the underlying “why” that drives people to fall prey to phishing time and again.

Continuously testing employees can be helpful; however, a company’s security training program must also attempt to adjust the daily unconscious behavior of employees that puts networks at risk. Companies need to provide their employees with a relatable (non-security/IT) team member/colleague to demonstrate what responsible cyber behavior looks like day in and day out.

One way to accomplish this is to create an internal cyber ambassador program that identifies employees who have proven themselves to have especially strong cyber awareness.

buy imodium online www.nicaweb.com/images/layout1/gif/imodium.html no prescription pharmacy

These employees should be selected from teams such as accounting, sales, HR and administrative support, that are typically vulnerable to phishing attacks.

Cyber ambassadors are responsible for promoting cyber best practices within their own teams. This type of program creates a platooning effect, where employees subconsciously emulate the behavior of their ambassador/team member, resulting in a safer cyber environment.

While employees can be your greatest weakness, they can also be your strongest asset in thwarting phishing attacks. Training employees to identify a phishing attempt—either before or after falling victim to an attack—is only half the battle.

buy cipro online www.nicaweb.com/images/layout1/gif/cipro.html no prescription pharmacy

By better understanding the mechanisms behind employee susceptibility, companies can anticipate individuals most at risk, create dynamic security and training policies that promote safe cyber behavior patterns, and alter employees’ habits through colleague support programs.

buy lasix online www.nicaweb.com/images/layout1/gif/lasix.html no prescription pharmacy