Victims of these online crooks lacked a key security feature. Don't make the same mistake

These scammers are gaining access to real accounts that they're using to dupe victims into sending payments. One change could help to stop it.
Written by Danny Palmer, Senior Writer
Image: Getty/LaylaBird

There has been a big rise in business email compromise (BEC) attacks – and most victims work at organisations that weren't using multi-factor authentication (MFA) to secure their accounts.

BEC attacks are one of the most lucrative forms of cyber crime: according to the FBI, the combined total lost is over $43 billion and counting, with attacks reported in at least 177 countries.

These attacks are relatively simple for cyber criminals to carry out – all they need is access to an email account and some patience as they try to trick victims into making financial transfers under false presences. This commonly involves sending messages to employees, purportedly from their boss or a colleague, that suggest a payment – often very large – must be made quickly in order to secure an important business deal.

Also: The biggest cyber-crime threat is also the one that nobody wants to talk about

More advanced BEC attacks hack into a company account and use a legitimate email address to make the payment request. 

It's even been known for scammers to monitor inboxes for long periods of time, only choosing to strike when a real business transaction is about to be made – at which point they cut in and direct the payment to their own account.

With money to be made in this way, cyber criminals are increasingly turning towards BEC campaigns and businesses are falling victim. According to cybersecurity analysts at Arctic Wolf, the number of BEC attacks to which they have responded doubled between January-March and April-June – and these attacks accounted for over a third of all incidents investigated.

There was a common theme among many of the victims: according to incident responders, 80% of the organisations that fell victim to BEC attacks didn't have MFA in place.

Multi-factor authentication provides an extra layer of security for email accounts and cloud application suites, requiring the user to verify that it really was them who logged into the account, helping to protect against unauthorised intrusions – even if the attacker has the correct username and password.

Organisations that ignore MFA are leaving themselves open to BEC campaigns and other cyberattacks – despite repeated recommendations from cybersecurity agencies that it should be applied. So, why aren't they using it?

"MFA requires careful planning and coordination to implement successfully, ensuring that organizations can continue to operate without disruption. Because users require training in how to use the MFA system, this may be difficult for some organisations," Adrian Korn, manager of threat intelligence research at Arctic Wolf Labs, told ZDNET. 

"In addition, configuring and testing a new MFA deployment across an organisation can place a heavy burden on already strained IT departments," he added. 

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

Despite these potential restraints, applying MFA to all user accounts is one of the most significant things organisations can do to help protect their employees and their network from cyberattacks – if they're set up correctly.

"Organisations should plan their MFA deployments out well in advance to account for technical hiccups they may encounter. In addition, organisations should take time to ensure that MFA configurations are tested ahead of prime time and that users are well-trained on how to use the new MFA platform of choice," said Korn. 

There different methods which organisations can use to provide staff with MFA. One of the most common is by using identity and access management software or authenticator apps to help manage account security by requiring login attempts to be verified by with the use of an alert sent to smartphone mobile application. Only after the push alert or code has been accepted will the user be able to login to their account.

Another way of providing users with MFA is by providing them with a hardware key which must be plugged into the device being used to login to the account before it can be accessed. 

But while MFA does help to prevent cyberattacks, it isn't infallible and determined cyber criminals are finding ways to bypass it.  

With BEC attacks using social engineering to trick people into thinking they're doing the right thing, it's also important for organisations to train their employees to detect when a request – even if it comes from a legitimate account – could be suspicious. 

"Users should be trained to recognise suspicious financial requests. If something feels off, users should heed that instinct and inquire further. Urgent financial requests should be validated through additional means before finalising major transactions," said Korn. 


Editorial standards