4.23.20 – SSI –
Work-from-home employees need to ward against business email compromise (BEC), which is particularly easy to execute and surprisingly hard to detect.
With millions of people working from kitchen tables and in guest bedrooms without their normal tools and resources, the race to maintain business continuity and security is vital. Instead of work happening within the confines of a well-rehearsed enterprise security architecture, a company’s employees and service providers have assembled a network of home computers and personal mobile devices using shared WiFi, public networks and unknown endpoints to access the systems and data they need to perform their role.
As you might expect, the distraction and confusion caused by the coronavirus pandemic has turned this into a greenfield for malicious behavior. Bad actors will seek to leverage vulnerabilities in your new security structure, hitting the easiest attack windows first.
Welcome to a Different Normal
One of the biggest windows, in fact is an open door: the employees who’ve never been in a work-from-home (WFH) role before. That said, we shouldn’t just highlight the newest remote workers. The experienced road warriors who are operating in a changed environment are also at risk of getting tripped up by an experienced fraudster.
One form of fraud, business email compromise (BEC) is particularly easy to execute and surprisingly hard to detect. Criminals apply techniques ranging from phony invoices to more sophisticated (but still simple) email campaigns using information obtained through earlier social engineering in an effort to gain additional personally identifiable information (PII), reroute legitimate payments and initiate bogus wire transfers.
For sure, security concerns about payment fraud and BEC attacks were a major problem well before the shift to work-from-home. The recent FBI Internet Crime Report reported that U.S. losses from BEC scams totaled more than $1.75 billion in 2019, up 25% from $1.3 billion in 2018 — which was double the losses from 2017.
Shut the Front Door
That is a steep curve that will continue to rise rapidly if we don’t take strong measures to stop it. For example, the FBI report highlights that cyber criminals are quickly expanding their reach into the Human Resources departments’ payroll services vertical as a new stream of payment flows to attack.
IT security policies and architectures that govern the safety of a company’s technology infrastructure reduce and eliminate threats as long as employees are following the policies. Unfortunately, any employee can short-circuit the best security by falling for what are often surprisingly simple — albeit ingenious — fraud attacks. Further, the simplicity of these attacks means they frequently do not trigger standard monitoring systems.
To combat payment fraud risks, here are some equally simple guidelines that are key mitigants to the most frequent attacks on WFH employees:
- Communication and Training. You can’t overcommunicate the risks of phishing and wider social engineering, opening malicious attachments and links, and all the other tips outlined below. Ensure you keep the reminders fresh, using new ways to grab employee and customer attention.
- Report Suspicious Activity. Remind employees and customers to report suspicious calls, letters, texts, and emails and give them an easy way to alert you to the event. If there’s been one attempt to engineer a way in, there have been many. Be aware.
- Personal Hardware and Applications. Many remote workers will be using personal computers and phones for work for the first time. Many individuals do not have any anti-malware protection on their home computer, nor do they make regular back-ups. Make security software recommendations to mitigate the associated risks. Remind employees to avoid using personal email and text for work communication.
- Change Passwords. All employees, including those who are new to working remote as well as those who’ve done it before, should be updating passwords. Importantly, not just on their applications but on home WiFi routers as well. Most home WiFi passwords have never been changed out of the box and, if they were, then the new password is often pretty simple. Change it.
- Don’t use Public WiFi. Remind employees and clients not to login through a public or neighbor’s WiFi. The risk of eavesdropping and interception is high.
- Secure end-points. If you don’t already have a company VPN for employee access, deploy one now to improve security.
- Communication and Training. Yes, it’s worth repeating!
- Confirm Identity Every Time. Be extra vigilant — ensure colleagues confirm the identity of every caller and sender of an email or text that requests a transaction, whether it’s a client, an employee or 3rd party caller. Don’t trust without verification.
- Establish Authorization for the Transaction. Don’t just rely on the determining the identity of the person, confirm that whomever requested action is aware of its details as well. Bad actors have enough information at their disposal to impersonate.
- Don’t Trust the Channels. Emails, messages and phone calls shouldn’t be trusted. You never know who is asking for access, or requesting a change to standing payment instructions, or a password reset. Cyber criminals are adept at intercepting and redirecting messages. Rather than trying to secure an inherently insecure channel, secure the request itself.
Lessons Learned and What-Ifs
As IT organizations continue hustling day-to-day to meet a mushroomed remote workforce’s demands, demands that very likely exceed many companies’ worst-case contingency plans, it is vital to communicate simple best practices. Don’t let colleagues fall victim to social engineering and simple BEC fraud.
It is also important to review both lessons learned and the what-ifs that came to mind over the past couple months (but fortunately haven’t happened). Then incorporate them into a secure and sustainable solution that is flexible across environments and channels and able to adapt to future unforeseen contingencies that might come your way.
Michael Cutlip is President and CEO of Authoriti.