When It Comes to Fraud, Where Is the Weakest Link?
Much like a chain-link fence is a deterrent that holds back burglars from accessing private property, a company’s digital security keeps cyber criminals from gaining access to confidential business information. It ensures that hackers don’t breach internal IT infrastructure that might protect sensitive data. However, much like a chain-link fence, cyber security is only as strong as its weakest link. Regardless of the industry, when even one small link in this chain is weakened, the strength of the entire system is compromised.
In a recent phishing attack on Snapchat’s payroll department, a hacker, masquerading as the company’s CEO, convinced a single employee in payroll to send him the payment information of other workers at the company. That one person’s innocent mistake – the weakest link in Snapchat’s defenses – ended with a breach that demanded involvement by the FBI.
Finding these single points of failure in the security architecture is crucial to mitigate the risks of fraud. To that end, let’s take a look at some of the most likely reasons why a company’s weakest link might break and allow for a cyber-attack that ends in fraud.
Lack of awareness causes a lot of problems
Although movies and TV shows have shown the public that hacking involves beating some sort of digital defense system by smacking the keyboard and completing some sophisticated maneuvers, a lot of real world cyberattacks stem from a lack of awareness in terms of the risks present. For instance, an employee or customer is much more likely to make a mistake than a piece of software, and hackers are all about taking the path of least resistance and exploiting that weakness.
Specifically, cybercriminals absolutely love to take advantage of weak passwords or the poor management of them. Verizon’s 2016 Data Breach Investigations Report found that around 63 percent of successful breaches within the study had to do with this attack vector, whether that meant giving up login credentials via a phishing scheme or simply having a weak password to start.
Therefore, it’s vital that companies emphasize the importance of strong passwords and proper protection of them, both for employees and for customers. Most experts believe a solid phrase should be at least eight characters long, with numbers and capitalizations to further ensure security.
Spear phishing and business email compromise (BEC) could expose high-level executives
Ordinary phishing may lead to the compromising of a lower-level employee, but hackers know that the executives of most companies have learned how to avoid these mass emails. To get access to the accounts of these higher-ranking administrators, cybercriminals often have to employ spear phishing techniques.
Unlike regular phishing, spear phishing attacks require the hacker to research his or her intended victim. This could involve them spoofing the email address of the executive’s daughter, or even finding a way to access a business partner’s account. Regardless, the end result is a message that looks incredibly real and has a lot of personal information to back up its legitimacy.
Once the attacker has the executive’s login credentials, he could simply sit back and wait, watching his victim’s email inbox until something valuable shows up. Alternatively, he could use the victim’s account to request a fraudulent money transfer, something that is referred to as business email compromise.
What’s more, BEC isn’t some hypothetical situation executives may need to look out for in the future. Companies are being hit with these kinds of scams all the time, and it’s causing a lot of financial disruption.
- Ubiquiti Networks had an executive lose control of an email account, ending with a theft of more than $46 million.
- Leoni, a manufacturing firm based in Germany, became the victim of a similar BEC scam that cost the company €40 million or around $44 million.
- One Nigerian scammer was arrested by INTERPOL after utilizing BEC and similar scams to net himself $60 million.
The FBI has reported that between October 2013 and February 2016, BEC fraud schemes cost companies more than $2.3 billion.The only way to truly avoid BEC is to educate executives. Those high up in the company hierarchy need to know that they are targets, and that they shouldn’t be giving login credentials to anyone via email.
Get the tools you need to fight fraud
In addition to these precautionary measures, the FBI’s Internet Crime Complaint Center has a long list of best practices executives can follow in order to mitigate the risks of BEC. The most important are:
- Verify any payments that seem out of the ordinary.
- Avoid free email accounts, as hackers tend to target these.
- Register domain names that are similar to what the company is using, such as using an “n” instead of an “m.”
- Be mindful of what information you put on social media accounts as well as the company’s own website.
Sadly, sometimes these preventative measures aren’t enough. Fraud can ruin both a company’s bottom line and its reputation, so it’s important for you to take steps to ensure you can catch active fraud before it gets out of hand. Learn how Feedzai and machine learning can help identify and prevent fraud in real-time for issuers, acquirers and merchants in the commerce ecosystem.