Email Security Blog

Phishing and BEC Scams Targeting Remote Workers are on the Rise

Patrick Peterson April 22, 2020 BEC, Business Email Compromise

Government officials are issuing fresh warnings about COVID-19 related business email compromise (BEC) scams targeting legions of remote workers participating in what has become “the world’s largest work-from-home experiment.”

The troubling rise in success rates for these attacks could have serious implications for the future of email security.

In just the last few weeks, cybercriminals impersonating a legitimate supplier of personal protective equipment (PPE) and hand sanitizer recently bilked a French pharmaceutical company out of $7.5 million, according to the Association of Financial Professionals.

And the FBI is reporting that a US-based financial institution was targeted by fraudsters posing as the company’s CEO. In an “urgent” message sent from a spoofed email account, the threat actors requested that a previously scheduled $1 million wire transfer be moved up, and that receiving bank account details be changed “due to the coronavirus outbreak and quarantine processes and precautions.”

BEC is big business. In a recent survey from JPMorgan, 75% of US companies reported suffering direct financial damage from such schemes in 2019. According to FBI statistics, that translated into more than $26 billion in business losses worldwide since 2016—or $700 million each month.

In the face of the coronavirus outbreak, the massive shift to remote working has dramatically expanded the attack surface for BEC crime groups the world over. The repercussions, and the harrowing losses, will be felt long after shelter-in-place mandates come to an end.

BEC and the Ultimate Black Swan Event

Indeed, the COVID-19 outbreak represents an unprecedented crisis to businesses worldwide, one that exposes troubling vulnerabilities in email communications and, in a way, in the human psyche as well.

Remote workers rely heavily on email. In contrast to workers who share a common space, at home workers can’t just walk over to an office or peer over a cubicle to quickly verify an instruction. To do this remotely requires a few extra steps, such as a phone call, text, or follow-up email. Workers in a hurry might tend to skip those steps.

Distractions from homebound family, pets, and especially news, which is by its very nature is designed to attract attention, can leave workers in “multi-tasking mode.” As a result, the most mundane activities – such as authenticating login credentials can create a significant risk. When attention is spread thin, a carefully crafted ruse might trick workers into unwittingly giving up their login credentials to a fraudster.

Remote workers can also introduce threats from home networks. This includes the use of personal devices infected with malware or lacking security patches, poorly configured wifi connections, and even conference calls that are not properly secured. Any of these issues can expose confidential information that can be knitted together into highly-effective social engineering attacks.

These issues are hardly new. But, in the dramatically changed operating environment we now live in, they pose heightened security threats to any organization. The inescapable reality – remote workers and their susceptibility to phishing and BEC attacks are here to stay.

Peering At a Post-Pandemic World

Welcome to the new normal. Despite a glimmer of hope that our mass experiment in advanced hermitry is beginning to flatten the curve of new infections, it’ll still be a long time before any of us start skipping those Zoom cocktail parties for the real thing.

As businesses make slow progress toward a new definition for “normalcy” it’s clear that things will never be quite the same. Among other things, the bluff has been called on objections to employees working from home. Not only has remote working been validated, it’s clear that it was always going to be more productive than yesterday’s butts-in-seats office environments.

If it takes longer to develop a vaccine, and the novel coronavirus proves to be a seasonal malady that outpaces global herd immunity, our time “together, apart” could come with sequels. For these reasons and more, digital is no longer just part of the organizational fabric. It’s foundational to virtually every aspect of the enterprise. But it comes with vulnerabilities — most notably the human beings who depend on digital tools to do their jobs.

In Crisis, Opportunity

For enterprise security professionals, these realities must be factored into email security roadmaps.

VPNs, multi-factor authentication, and controls against sending sensitive information through personal email accounts or devices will certainly be a part of the picture.

Coordinated security standards among supply chains, including mandatory DMARC implementation, can help neutralize the threat of attacks that exploit unsecured domains. And as some have suggested, one-time PINs associated with invoices could also help accounts payable prevent email invoicing fraud.

But more than anything else, recent increases in successful attacks showcase the importance of nimble phishing simulation training, as well as modern identity-based defenses that block email attacks – even those from compromised, but otherwise legitimate email accounts.

Combined with continuous detection and response technology that automatically ferrets out and removes attacks that evade initial detection, these security controls can help organizations defeat the BEC scams, phishing attacks, and other advanced email threats targeting remote workers.

To learn more about BEC scams, phishing attacks and other advanced email threats, read our Q1 2020 Email Fraud and Identity Deception Trends report.

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

mobile image