The news media is always on the lookout for headlines that will either terrify or excite their readership or viewership. Only a couple of decades ago the mantra of the print media was ‘if it bleeds – it ledes’. A lede is the opening sentence or paragraph of a news article, summarising the most important aspects of the story, and the media love panic and pain. According to a recent FBI cybercrime report, ransomware attacks are not the most important media story of the day, no matter which website you visit or which channel you watch.
If you believe those news reports, ransomware is coming to take your computer hostage and drain your bank account to a level where a Happy Meal is going to be a bit of an extravagance. The truth is however different, at least according to the FBI Cybercrime Report (IC3 – Internet Crime Report v3). That report maintains that there are far more pressing matters to worry about when it comes to the safety of your business.
The latest media panic paragraphs have covered ‘Wannacry’, a slightly clumsy ransomware attack that hit the headlines in June 2017. It spread quickly, but the effects seem to have been fairly benign (if that could ever be said about a cyberattack on major businesses). Now there’s a new Ransomware threat detected, called ‘Goldeneye’ – a new iteration of the ‘Petya’ Ransomware attack that took up headline space in 2017. It’s making life challenging for I.T. departments in companies in over 2,000 companies, including Danish shipping giant Maersk, U.S. pharmaceutical company Merck, and multiple private and public institutions in Ukraine. It’s sneakier and more advanced than its older cousin – and the media are having a field day.
Ransomware attacks? Don’t panic!
Well, OK, panic a bit.
Ransomware attacks are potentially very damaging But there are far more serious threats according to the FBI Cybercrime Report. Worry more about your banking information, private photos and other data. And it’s not external threats that should be top of your watch list – it’s your email that’s the issue.
Based on actual crimes reported by victims and law enforcement agency’s investigative efforts, the deadliest online threat to Internet users in the country is Business Email Compromise (BEC). Such internet crime includes a component known as Email Account Compromise (EAC), which is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses who regularly perform wire transfer payments.
The FBI Cybercrime Report began tracking these scams as a single crime type in 2017. The scam is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds. Most victims report using a wire transfer service as a common method of transferring funds for business purposes.
Cybercrime report highlights Asia’s role
Now, for businesses in Asia addressing the threat is even more urgent. The cybercrime report states that fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia.
A direct quote from the cybercrime report states that ‘the scam began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations.’ The scam has continued to evolve and in 2014 businesses reported having personal emails compromised and multiple fraudulent requests for payment sent to vendors identified from their contact list.
In 2015, the fraudsters got even more advanced in their approach, posing as lawyers or law firms instructing them to make secret or time sensitive wire transfers. BECs may not always be associated with a request for transfer of funds.
In 2016, the evolution continued to include the compromise with requests for Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.
The BEC/EAC scam is linked to other forms of fraud, including romance (i.e. dating) websites, lottery websites, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited to illegally transfer money on behalf of others, but global business being what it is every single company should be aware of the issue.
Why worry about the cybercrime report?
In 2016, the third iteration of the Internet Crime Report from the FBI received 12,005 BEC/EAC complaints and reported losses of over $360 million (in the U.S.).
That’s an enormous sum and it is set to grow.
The major point is that those guarding data should be aware that it is not the shark’s fin that breaks the surface and is reported by the media in hysterical terms that is worrying. It is the silent killer that lurks below the surface that should have the guardians worried.
All systems and protocols must be secure and require constant vigilance. The media is not your guide to threat levels – stick with professional advisors who have the real story, not the lede that bleeds.