Your information security is only as strong as the effectiveness of the cybersecurity training you provide to your employees. Your employees are a major access point for cyber attackers. You are always a potential target – no matter how small or large your organization is.
Increased remote work has increased your business’ risk of business email compromise (BEC). According to the Internet Complaint Center’s (IC3) 2023 Report, 21,489 BEC complaints were received with approximately $2.9 billion associated losses. Overall complaints to IC3 went up 10% from 2022 and losses increased 22% to roughly $12.5 billion1. According to the recently released survey results of 266 finance and treasury executives by Trustpair, 96% of the respondents “were targeted by at least 1 fraud attempt” and 90% of the respondents reported at least one of the attacks to be successful.
Machine learning (ML) is increasingly being used by fraudulent actors to better hone and target their messages to victims. Gone are the days of the laughably misspelled and grammatically incorrect missives from a long lost “Nigerian Prince” in need of a U.S. based individual to deposit their royal inheritance. Romance scammers can now talk to their victims using the generated voice of a celebrity. Sadly, there are cases in which victims are convinced they are in a relationship with a celebrity with whom they communicated solely through email and text, who claimed to be much younger than them. Despite attempts from not just loved ones but also digital forensic experts to provide evidence to the contrary, these people remain in denial.
There is now an up-and-coming scam of using the generated voices of family members, taken from social media, to induce parents or grandparents to send money to a relative because they needed bail money, were kidnapped or some other urgent scenario. Telephone numbers, e-mail addresses and voices can all be effectively spoofed. It’s enough to make you want to just toss all your electronic devices away and go back to the 80s.
Real-World Scenario
A company encountered a situation where two people, each through separate email exchanges, placed orders for their products. While the contact details provided seemed legitimate, the individuals were not affiliated with businesses that typically used or sold the company’s products. The company, upon suspicion, reached out to these individuals by phone. The individuals gave plausible explanations for their purchases. The company researched and confirmed people with the same names did work at the companies these individuals claimed to represent. The purchase orders were approved, and the product was shipped. Unfortunately, payment was never received.
So, what was missing from the company’s due diligence? They only reached out to contact information provided by the individuals and the independent online research the company did was publicly available to everyone, including the individuals that assumed the identities. Subsequently, the company contacted both businesses the individuals purported to work for and determined one no longer worked for the business and the other was not authorized to submit purchase orders on the business’s behalf.
Scenario Tips
Here are some ways to protect yourself if confronted with a similar scenario to our client.
- Install and use advanced email filters. They won’t catch everything so you will still need to be vigilant.
- Avoid immediately reacting to communications, for payment or product shipment, imploring you to act immediately or otherwise some calamity will befall you. Slow…down. A business deal or a client will not be lost in the amount of time it takes you to confirm the payment or the order independently. However, a great deal of money or product could be lost forever.
- Provide monthly cybersecurity training to your employees. This will help raise awareness and limit incidents.
- Trust your gut. If the email is unexpected and suspicious, it warrants further investigation. If you weren’t expecting the email, check it out closely. Is the email address right? Are there links or attachments? Typically, you can hover over the link and see the complete weblink. Is it a “normal’ email you regularly receive from the sender? If anything seems amiss, contact the sender through an independently verified method and confirm the email.
Here are a couple of ways to protect yourself from that nightmare I mentioned –AI generated calls for money in emergencies.
- Many years ago, before cellphones, parents were advised to have a codeword between them and their children so that if someone else were to pick them up the children would know it was safe if the person had the correct codeword. Similarly, have a codeword only you know with your relatives so that if you receive a call from someone claiming to be your relative and they urgently need money, you can verify the relative with a codeword. Or:
- Hang up or put the “relative” on hold and then call the relative at a known and verified number to ensure that it is them.
Public Service Announcement
If you are posting your whereabouts on social media, it is best practice to post where you have been not where you are going to be and when. Social media is a treasure trove of intelligence. Criminals can surveil you via your social media and can determine a lot of information about you, such as if you are out of town.
How Withum Can Help?
Do you have concerns about your network security? Withum’s Cyber and Information Security Services Team can provide a complete service to your organization. We can check your network by testing your network security and offer recommendations to bolster your security in areas of identified vulnerabilities. Reach out to us today and we can get started.
Contact Us
For more information on this topic, please contact a member of Withum’s Cyber and Information Security Services Team.
