2016 was a particularly bad year for data breaches. A large number of huge data breaches from years gone by were also discovered in 2016.
The largest breach of 2016 – by some distance – affected Yahoo. The credentials of more than 1 billion users were obtained by the gang behind the attack. A massive cyberattack on MySpace was discovered, with the attackers reportedly obtaining 427 million passwords. 171 million vk.com account details were stolen, including usernames, email addresses, and plaintext passwords. 2016 also saw the discovery of a massive cyberattack on the professional networking platform LinkedIn. The credentials of more than 117 million users were stolen in the attack. Then there was the 51-million iMesh account hack, and 43 million Last.fm accounts were stolen….to name but a few.
The data stolen in these attacks are now being sold on darknet marketplaces to cybercriminals and are being used to commit a multitude of fraud.
One of the biggest threats for businesses comes from business email compromise (BEC) scams. BEC scams involve an attacker impersonating a company executive or vendor and requesting payment of a missed invoice. The attacker sends an email to a member of the accounts team and requests payment of an invoice by wire transfer, usually for several thousand dollars. All too often, even larger transfers are made. Some companies have lost tens of millions of dollars to BEC fraudsters.
Since the email appears to have been sent from a trusted email account, transfer requests are often not questioned. Cybercriminals also spend a considerable amount of time researching their targets. If access to corporate email accounts is gained, the attackers are able to look at previous emails sent by the targets and copy their writing style.
They learn about how transfer requests are usually emailed, the terms used by each company and executive, how emails are addressed, and the amounts of the transfers that have been made. With this information an attacker can craft convincing emails that are unlikely to arouse suspicion.
The scale of the problem was highlighted earlier this year when the FBI released figures as part of a public awareness campaign in June. The FBI reported that $3.1 billion had been lost as a result of BEC scams. Just four months earlier, the losses were $2.3 billion, clearly showing that the threat was becoming more severe.
This year also saw a huge increase in W-2 scams in the United States. W-2 data is requested from HR departments in a similar manner to the BEC scams. Rather than trying to fool email recipients into making fraudulent transfers, the attackers request W-2 data on employees in order to allow them to file fraudulent tax returns in their names. The IRS issued a warning earlier this following a huge increase in W2 attacks on organizations in the United States.
Companies large and small were targeted, with major attacks conducted on Seagate, Snapchat, Central Concrete Supply Co. Inc, and Mainline Health. Between January and March 2016, 55 major – and successful – W-2 scams were reported to the IRS.
Attackers do not even need email account passwords to conduct these attacks. Email addresses of CEOs and executives can easily be spoofed to make them appear that they have been sent internally. The sheer number of stolen email addresses – and in many cases also passwords – makes the threat of BEC and W-2 attacks even greater. Security experts predict next year will be even tougher for businesses with even more cyberattacks than in 2016.
Improve Your Defenses Against Email-Borne Threats in 2017
Reducing the risk of these attacks requires multi-layered defenses. It is essential that all employees authorized to make corporate bank transfers receive training on email security and are alerted to the risk of BEC scams. Policies should be introduced that require bank transfer requests to be authorized by a supervisor and/or authenticated by phone prior to the transfer being made.
All employees should be instructed to use strong passwords and never to share work passwords anywhere else online. Many employees still use the same password for work as for personal accounts. However, if one online platform is breached, it can give the attackers access to all other platforms where the same password has been used – including corporate email accounts.
Organizations should also implement controls to block phishing and spear phishing attacks. Blocking phishing emails reduces reliance on the effectiveness of anti-phishing training for employees.
SpamTitan is a highly effective tool for blocking malicious spam emails, including phishing and spear phishing emails. SpamTitan uses a range of techniques to identify spam and scam emails including Bayesian analyses, greylisting and blacklists. SpamTitan incorporates robust anti-malware and anti-phishing protection, as well as outbound email scanning to block spam and scams from corporate email accounts. SpamTitan is regularly tested by independent experts and is shown to block 99.97% of spam email with a low false positive rate of just 0.03%.
2016 may have been a particularly bad year for data breaches and the outlook doesn’t look good for 2017, but by taking affirmative action and implementing better defenses against email-borne attacks, you could ensure that your company is not added to the 2017 list of data breach and scam statistics.