- Security TWENTY
- Women in Security
Most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion. While email is still a common entry point, frauds are also beginning on text messages—a crime called smishing — or even fake websites, a tactic called pharming.
Donna Gregory, the chief of IC3, said: “You may get a text message that appears to be your bank asking you to verify information on your account. Or you may even search a service online and inadvertently end up on a fraudulent site that gathers your bank or credit card information.”
Individuals need to be extremely sceptical and double check everything, she stressed. “In the same way your bank and online accounts have started to require two-factor authentication—apply that to your life. Verify requests in person or by phone, double check web and email addresses, and don’t follow the links provided in any messages.”
Business email compromise (BEC)
BEC, or email account compromise, has been a major concern for years. In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. The report describes it as ‘constantly evolving’.
These scams typically involve a criminal spoofing or mimicking a legitimate email address. For example, an individual will receive a message that appears to be from an executive within their company or a business with which an individual has a relationship. The email will request a payment, wire transfer, or gift card purchase that seems legitimate but actually funnels money directly to a criminal. In the last year, IC3 reported seeing an increase in the number of BEC complaints related to the diversion of payroll funds.
Stuart Reed, VP Cyber at Nominet says: “The advice to consumers is plentiful – from spotting dubious websites to identifying phishing emails – and eventually this will become fundamental cyber-savviness that we’ll all need to have. There is also a responsibility on businesses, however, to ensure that their websites aren’t spoofed and that they are tracking and monitoring this to protect their customers. As well as monitoring their own domain for malicious activity it is also important for them to monitor those with brand adjacencies; a malicious domain that is set up using a credible brand in an attempt to prevent the end-user from spotting the fake.”
On BEC, Ed Macnair, CEO of Censornet, said: “By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost. These attacks are harder for traditional pattern-matching techniques to catch so organisations have to update their email security technology in kind. Multi-layered content analysis, which thoroughly checks each individual feature of an email before it gets to the sender, has proved effective at stopping these very convincing spoof emails, which led to almost two billion dollars lost in the US in the last year alone.”