Blog

Business Email Compromise: The changing economy exposes a growing threat

April 2, 2023
Posted by Aware Force

Rising unemployment will give hackers a powerful way to infiltrate organizations by exploiting employees who are nervous about their jobs.

Taking advantage of this scenario, scammers are posing as job seekers targeting those in human resources (HR), and using a social engineering tactic known as Business Email Compromise (BEC) to spread ransomware across a company’s network. Once inside, scammers can use their newfound contacts to target executives with dedicated emails designed to steal intellectual property.

The hackers know that HR personnel is accustomed to opening attachments from unknown senders and seize the opportunity to turn these employees into unwilling insider threats.

Deloitte reports that 70% of the cases handled by Palo Alto’s incident response team consisted of Business Email Compromises.

Director of Intelligence at Secureworks, Mike McLellan says BEC attacks require little to no technical skill but can be highly lucrative. "Attackers can simultaneously phish multiple organizations looking for potential victims without needing to employ advanced skills or operate complicated affiliate models."

Jobseekers also targeted

As if the rise of job scams on popular search sites weren't concerning enough, scammers are now using fake job offers to hack into organizations.

New research by KnowBe4 and Checkpoint have found that phishing emails targeting LinkedIn accounts are rising fast. These attacks are designed to trick users into clicking on a malicious link or downloading a file that contains malware. As LinkedIn becomes an increasingly popular platform for professional networking and concern about unemployment among workers rises, these attacks are becoming more common.

Some of these phishing attacks often take the form of fake job offers or messages that appear to be from LinkedIn itself. These messages may ask users to update account information or click on a link to view a job offer, but in reality, they are designed to steal the user's personal information or install malware on their computer. If using a company computer, this could potentially open the organization’s doors to criminals.

LinkedIn urges employees and managers to be aware of six common signs that a job posting might not be authentic:

  1. Contact can’t be found in a Google search
  2. No company information
  3. Grammatical errors & spelling mistakes
  4. Be wary of job offers that require upfront payments 
  5. Personal information is required immediately
  6. Sounds too good to be true

There are different reasons why someone would post a fake job offer. Some companies like to have resumes on file, or employers might be testing the water or gauging the current talent pool. However, users must exercise caution when communicating with potential employers online and report any suspected fake job listings to the appropriate authorities.

How can employees be cyber-safe and detect possible scams?

Cyber and IT leadership can reduce risk by communicating regularly with the workforce. To protect themselves from these attacks, personnel should be wary of unsolicited messages or job offers and take precautions such as enabling two-factor authentication and keeping anti-virus software up to date on personal devices. Users should also be cautious of messages that ask for personal information or require them to download files or click on links.

IT decision-makers are aware of this threat…and they’re concerned

Arctic Wolf recently surveyed over 900 global security leaders about their top concerns, andthe results showed that Business Email Compromise was a social engineering tactic that needs to be top of mind. 52% of organizations experienced a breach in the past 12 months; of those, a third were BEC attacks. BEC attacks were also listed as the “top concern” for 38% of respondents.

How can Cybersecurity and IT leaders mitigate these cyber threats?

Many companies implement email filters. However, all it takes is a few emails to penetrate the filters and reach employees’ inboxes. Some companies that have fallen victim to these nefarious attacks include Facebook, Google, Toyota, and Ubiquiti…all causing multimillion dollars in losses.

As a leader, assuring your employees have high cybersecurity awareness and empowering them to be your strongest line of defense against cyber attacks is highly effective. A well-informed worker (techie or not) will be able to detect a scam and report it to your team.

To assist with this vital task, engage your employees in cybersecurity all year long with content branded for your company from Aware Force.

Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.

Get the latest insights in cybersecurity. Subscribe to the Aware Force Cyber Blog
Insightful cyber news, fresh ideas for engaging your employees and more.
Let's connect!
Learn innovative ways organizations are using Aware Force.
Phone
(470) 448-3887
Email
cutrisk@awareforce.com
Contact US

usermagnifiercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram