Virtual meetings have become commonplace in the business world, providing greater accessibility for engagement with clients and colleagues in different locations. However, these meetings have also opened a new window of opportunity for cybercriminals who will leverage any opportunity if it increases the likelihood of their success. This latest scheme has become serious enough that even the FBI has sent out warnings. Here is how it works:
With the help of social engineering, the hacker selects the best employee to impersonate. It’s usually the financial director, CFO, or someone with similar authority over the company’s money.
The cybercriminal then sets up the tools they need. The employee’s email is compromised, and a phony virtual meeting profile is created – usually with a still photo of the person they are impersonating.
The cybercriminal schedules a virtual meeting with all the right players. As part of the impersonation, they might use a hijacked profile picture of the CFO and either no sound or a synthetic voice, claiming their audio is not working properly. Oftentimes they will just use the chat feature.
The malicious actor uses the virtual platform to gather additional information they need before instructing those on the call to initiate a transfer of funds and tell them to look for a follow-up email with details.
Since the impersonated employee’s email has already been compromised, the hacker simply sends a follow-up communication (which, of course, is a phishing email) to the team with instructions on the wire transfer.
Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is the #1 most expensive form of cybercrime/email phishing attacks, accounting for $2.4 billion in losses in 2021. Based on the number of reported incidents of BEC, that puts the average cost of an attack at $120, 074 each.2
These phishers target companies of all sizes, across all industries. Nobody is safe. There are, however, several things you and your company can do to protect yourself from these elaborately designed phishing schemes. The top three include:
With all wire transfers, ensure that it is office policy to use some sort of two-factor authentication to verify requests for changes in account information and to confirm financial requests come from a legitimate source.1
Ensure all employees know that being asked to supply log-in credentials or personal information via email is a red flag for cybercrime and should not be done.1
Have the strongest level of phishing protection build into your company’s security stack. This takes the onus off of employees for identifying other signs of email fraud such as hyperlinks with misspellings and unverified sender email addresses.
Sender profiling and social graphing are just two of the many tools INKY uses to detect foul play and block Business Email Compromise impersonations. INKY works on inbound, internal, and outbound emails, as well as mobile devices and its patented technology sanitizes all emails, disarms phishing emails, and reconstructs each email using safe and standard HTML5. From there, INKY injects an HTML banner with one or more of nearly 60 warning messages to educate the recipient with specifics of the threat. This subtle form of training helps to change the behavior of the user, coaching them to make smart decisions when it comes to email security.
Play tough defense against email impersonation. With INKY on your side, you can detect the behaviors of the most sophisticated attackers with technology that’s always getting smarter to keep you ahead of account takeovers. Find out why so many companies are turning to INKY for the security of their email. Schedule a demo or inquire today.
INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.
1 Source: https://www.ic3.gov/Media/Y2022/PSA220216
2 Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf