Simplest approach is to cut greedy fat as much possible. In past years, Business Email and Mobile App Compromise schemes have caused billions in total losses to thousands of enterprises around the world, according to the US crime agency FBI. Since January 2015, there has been a 1800% increase in identified exposed losses, amounting to huge losses per scam. The potential damage and effectiveness of these campaigns compelled US FBI to issue a public service announcement detailing how Email Compromise scams work and how much damage it can cause to targeted employees and companies – in both private and public sectors.
The FBI defines Business Compromises as a sophisticated email and app scams that targets businesses working with foreign partners that regularly perform wire transfer payments. Formerly known as the Man-in-the-Email scam, Email Compromise typically starts when business executives’ email accounts are compromised and spoofed, with the fraudster sending emails to an unknowing employee instructing them to wire large sums of money to foreign accounts and many other creatively smarter scams.
While many cases involve the use of mobile malware, Email Compromise schemes are known for relying purely on social engineering techniques, making them very hard to detect. Recent incidents showed how employees were duped by emails masquerading as legitimate messages coming from company executives asking for information. In recent times, even big brand email operators are involved in end user’s email data breach / mining, surveillance and abuse, in association with governments and large private conglomerates.
Businesses, especially SMEs, are advised to educate employees on how Email Compromise scams and other similar attacks work. These schemes do not require advanced technical skills, use tools and services widely available in the cyber criminal underground, and only needs a single compromised account to steal from a business. Some tips on how to stay safe from these online schemes:
Carefully scrutinize all emails. Be wary of irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency. Review and verify emails requesting funds to determine if the requests are out of the ordinary.
Raise employee awareness. While employees are a company’s biggest asset, they can also be its weakest link when it comes to security. Commit to training employees, review company policies, and develop good security culture.
Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
Stay updated on customer habits, including the details, and reasons behind payments.
Verify requests. Confirm requests for fund transfers when using phone verification as part of 2-factor authentication, use known familiar numbers, not the details provided in email requests.
Report any incident immediately to law enforcement and file complaint with your service provider using direct and non-digital methods.
Avoid using tools like mobile apps or fancy desktop apps for email send / receive and other critical transactions.
Choose Custom Mail Servers operated by ethical operators and service providers, prefer SSL Secured with managed firewalls. We suggest manual servers of OSS Prime Linuxers
Ref. Trend Micro / osspl.com