Government officials are issuing fresh warnings about COVID-19 related business email compromise (BEC) scams targeting legions of remote workers participating in what has become "the world's largest work-from-home experiment."
The troubling rise in success rates for these attacks could have serious implications for the future of email security.
In just the last few weeks, cybercriminals impersonating a legitimate supplier of personal protective equipment (PPE) and hand sanitizer recently bilked a French pharmaceutical company out of $7.5 million, according to the Association of Financial Professionals.
And the FBI is reporting that a US-based financial institution was targeted by fraudsters posing as the company's CEO. In an "urgent" message sent from a spoofed email account, the threat actors requested that a previously scheduled $1 million wire transfer be moved up, and that receiving bank account details be changed "due to the coronavirus outbreak and quarantine processes and precautions."
BEC is big business. In a recent survey from JPMorgan, 75% of US companies reported suffering direct financial damage from such schemes in 2019. According to FBI statistics, that translated into more than $26 billion in business losses worldwide since 2016—or $700 million each month.
In the face of the coronavirus outbreak, the massive shift to remote working has dramatically expanded the attack surface for BEC crime groups the world over. The repercussions, and the harrowing losses, will be felt long after shelter-in-place mandates come to an end.
BEC and the Ultimate Black Swan Event
Indeed, the COVID-19 outbreak represents an unprecedented crisis to businesses worldwide, one that exposes troubling vulnerabilities in email communications and, in a way, in the human psyche as well.
Remote workers rely heavily on email. In contrast to workers who share a common space, at home workers can’t just walk over to an office or peer over a cubicle to quickly verify an instruction. To do this remotely requires a few extra steps, such as a phone call, text, or follow-up email. Workers in a hurry might tend to skip those steps.
Distractions from homebound family, pets, and especially news, which is by its very nature is designed to attract attention, can leave workers in “multi-tasking mode.” As a result, the most mundane activities - such as authenticating login credentials can create a significant risk. When attention is spread thin, a carefully crafted ruse might trick workers into unwittingly giving up their login credentials to a fraudster.
Remote workers can also introduce threats from home networks. This includes the use of personal devices infected with malware or lacking security patches, poorly configured wifi connections, and even conference calls that are not properly secured. Any of these issues can expose confidential information that can be knitted together into highly-effective social engineering attacks.
These issues are hardly new. But, in the dramatically changed operating environment we now live in, they pose heightened security threats to any organization. The inescapable reality - remote workers and their susceptibility to phishing and BEC attacks are here to stay.
Peering At a Post-Pandemic World
Welcome to the new normal. Despite a glimmer of hope that our mass experiment in advanced hermitry is beginning to flatten the curve of new infections, it'll still be a long time before any of us start skipping those Zoom cocktail parties for the real thing.
As businesses make slow progress toward a new definition for "normalcy" it's clear that things will never be quite the same. Among other things, the bluff has been called on objections to employees working from home. Not only has remote working been validated, it's clear that it was always going to be more productive than yesterday's butts-in-seats office environments.
If it takes longer to develop a vaccine, and the novel coronavirus proves to be a seasonal malady that outpaces global herd immunity, our time "together, apart" could come with sequels. For these reasons and more, digital is no longer just part of the organizational fabric. It's foundational to virtually every aspect of the enterprise. But it comes with vulnerabilities -- most notably the human beings who depend on digital tools to do their jobs.
In Crisis, Opportunity
For enterprise security professionals, these realities must be factored into email security roadmaps.
VPNs, multi-factor authentication, and controls against sending sensitive information through personal email accounts or devices will certainly be a part of the picture.
Coordinated security standards among supply chains, including mandatory DMARC implementation, can help neutralize the threat of attacks that exploit unsecured domains. And as some have suggested, one-time PINs associated with invoices could also help accounts payable prevent email invoicing fraud.
But more than anything else, recent increases in successful attacks showcase the importance of nimble phishing simulation training, as well as modern identity-based defenses that block email attacks - even those from compromised, but otherwise legitimate email accounts.
Combined with continuous detection and response technology that automatically ferrets out and removes attacks that evade initial detection, these security controls can help organizations defeat the BEC scams, phishing attacks, and other advanced email threats targeting remote workers.
To learn more about BEC scams, phishing attacks and other advanced email threats, read our Q1 2020 Email Fraud and Identity Deception Trends report.