The Growing Threat of Business Email Compromise

computer chip broken hack.jpg

“In the good old days when I started my career, my life was much easier,” said Issam Zaghloul, CISSP, CISA, CGEIT, Head of Information Security at Majid Al Futtaim Holding. He has been working in the cybersecurity field in one way or another for the last 16 years. The work was easier, he explained, because there wasn’t as much data to track, and it was all stored in centralized locations. In other words, things were simpler and much more straightforward.

Today, however, we eat data for breakfast, according to Zaghloul, and our systems of tracking, moving and storing data have become infinitely more complex. Thus, the world of cybersecurity has grown more unruly as a result. To impress the magnitude of this issue, Zaghloul shared a collection of staggering statistics about cybercrime with delegates who attended the 2018 ACFE Fraud Conference Middle East in Abu Dhabi.

  • By 2021, cybercrime will cost the world $6 trillion.
  • In 2016, 15.4 million consumers were victims of identity theft.
  • In 2017, a new malware was discovered every 3.8 seconds.
  • 90% of cyberattacks involve the using of phishing.

That last statistic ties into the main focal point of Zaghloul’s session — business email compromise, also known as email account compromise. “The combination of simplicity and effectiveness is making this [cyberattack] a worldwide phenomenon,” he said. Business email compromise is a type of scam that uses email as a means to deceive recipients into initiating fraudulent transactions. There are two unique facets that make it so effective. The first is that it doesn’t take any special sort of “hacking” know-how, which means virtually anyone could put together an attack. The second is that it’s also relatively easy to create a convincing enough email to trick at least one person. With this type of scam, one click is all the malware needs and — bingo! — attackers are inside an organization’s email system.

Zaghloul emphasized the fact that there is no technology that can block these types of “spoof” emails. It’s up to the humans receiving them to recognize an attempt and put a stop to it before it causes irreversible damage.

“This is an industry,” Zaghloul said of business email compromise. “They use. They test. They distribute. That’s something to keep us awake at night.” Zaghloul mentioned his sleepless nights many times throughout the presentation, giving the impression that even for an expert in the field, the threat of attack can at times feel insurmountable and indefensible.

However, Zaghloul left everyone in the room with some hope. He offered three pieces of actionable advice for organizations to defend against this kind of attack.

  1. Promote awareness. Train everyone at the organization on what to look for and how to respond if they suspect a phishing attack.
  2. Encourage communication. Make it acceptable to reach out directly to someone to verify that an email is legitimate.
  3. Report quickly. If someone at your organization recognizes a phishing email, teach them to alert the IT team as soon as possible to help prevent others from executing a harmful action.

When reflecting on why business email compromise has grown to such prevalence, Zaghloul says, “We are connected 24/7. People want to be connected 24/7.” He doesn’t see this trend changing anytime soon, so it’s up to organizations to adapt and prepare, ensuring their employees don’t unwittingly open the door to fraudulent transactions.