Just a few days back the Los Angeles District Attorney office warned against "juice-jacking" attacks where malicious payloads are deployed onto smartphones while they are being charged. The perpetrators would use public USB charging stations to carry out their offence in such attacks. Now, another growing threat has come to light, one that allows hackers to "hijack" your emails.
What are BEC attacks?
Although not something that's unheard of or very new, email hijacking has been a very active threat and business emails, in particular, have been a hot target for hackers worldwide. Such attacks that primarily target business emails are known as 'business email compromise attacks' or BEC attacks.
Recently, IT security company, Barracuda Networks released a new report titled "Spear Phishing: Top Threats and Trends Vol. 3 - Defending against business email compromise attacks." The report highlights some key findings surrounding BEC attacks and the steps users can take to safeguard their business emails against these attacks.
In the report, the leading data and email security company details the various tactics used by hackers to carry out these spear-phishing attacks. The "tricks" include convincing impersonation, strategic targeting, careful timing and social engineering to hijack emails in order to steal money or elicit vital information.
Businesses and organizations are at risk
The report suggests that although individuals are at risk but businesses and organizations are at a higher risk of falling victim to such highly-targeted attacks since they can not only lose money to hackers but also confidential information that could be available in their emails.
In a press release, Don MacLennan, Senior VP of email protection, engineering and product management at Barracuda emphasized on how learning about the various ways cybercriminals use to initiate BEC attacks can help businesses and organizations from falling prey.
He says: "Attackers continue to find new ways to make business email compromise attacks more convincing, ultimately making them more costly and damaging to businesses. Taking the proper precautions and staying informed about the tactics cybercriminals are using will help organizations defend themselves more effectively against these highly targeted attacks."
How these attacks work
Convincing Impersonation
According to the report, as many as 91 per cent of all BEC attacks take place on weekdays and hackers behind these attacks usually send out the phishing emails to their target organizations during business hours in order to make the phishing emails seem more convincing and less intrusive.
Strategic Targeting
Barracuda also observes that a typical BEC attack targets not more than six employees of an organisation and 94.5 per cent of these attacks targeted less than 25 people.
Prioritising/Urgency
The emails often labelled as "urgent" or as high priority emails in order to get a fast response from the victims. The report claims that as many as 85 per cent of all BEC attacks are urgent requests.
Click baiting
Business email compromise attacks are also highly likely to be clicked or opened as they have very high click-thru rates. As per the report, one in ten spear-phishing emails is successful in tricking its target into clicking on the mail. Worse case, the chances of a phishing email gets clicked become thrice as high when the attack impersonates someone within the organisation.
How big are the BEC attacks?
According to the Barracuda Networks report, over the last year, businesses and organizations have lost an average of $270,000 to the attacks. However, data from the FBI suggests that the attacks have looted as much $26 billion from various organizations over the past four years.
What should you do to avoid BEC attacks?
Although, one can hardly make out if an email he has just received is a phishing email, but there are certain precautionary measures that businesses can have in place, such as proper communication within the organisation and the use of strong antivirus and anti-phishing tools, and other email protection tools which are available from leading internet security providers.
