Your biggest cyber-crime threat has almost nothing to do with technology

One type of cyber threat is costing us all billions, and it's all to do with manipulating people rather than machines.
Written by Danny Palmer, Senior Writer
Image: Getty/Shannon Fagan

You're asked about the biggest cybersecurity threats faced by business – which ones spring to mind first?

Maybe it's relentless ransomware attacks, with cyber criminals encrypting networks and demanding vast sums for a decryption key – even from hospitals. Or maybe it's a sneaky malware attack, which lets hackers hide inside the network for months on end, stealing everything from usernames and passwords to bank details. 

Both of these are on the list, for sure. These are awful attacks to experience and can cause terrible damage. But there's another much simpler form of cyber crime that makes scammers the most money by far – and doesn't get much attention.

The scale of business email compromise (BEC) attacks is clear: according to the FBI, the combined total lost to BEC attacks is $43 billion and counting, with attacks reported in at least 177 countries. 

SEE: The next big security threat is staring us in the face. Tackling it is going to be tough

What makes BEC such a rich opportunity for scammers is there's rarely a need to be a highly skilled hacker. All someone really needs is a laptop, an internet connection, a bit of patience – and some nefarious intent.

At the most basic level, all scammers need to do is find out who the boss of a company is and set up a spoofed, fake email address. From here, they send a request to an employee saying they need a financial transaction to be carried out quickly – and quietly.

It's a very basic social-engineering attack, but often, it works. An employee keen to do as their boss demands could be quick to approve the transfer, which could be tens of thousands of dollars or more – particularly if they think they'll be chastised for delaying an important transaction.

In more advanced cases, the attackers will break into the email of a colleague, your boss or a client and use their actual email address to request a transfer. Not only are staff more inclined to believe something that really does come from the account of someone they know, scammers can watch inboxes, wait for a real financial transaction to be requested, then send an email from the hacked account that contains their own bank details. 

By the time the victim realises something is wrong, the scammers have made off with the money and are long gone. 

What's most challenging about BEC attacks is that while it's a cyber crime that is based around abusing technology, there's actually very little that technology or software can do to help stop attacks because it's fundamentally a human issue. 

Anti-virus software and a good email spam filter can prevent emails containing malicious links or malware from arriving in your inbox. But if a legitimate hacked account is being used to send out requests to victims using messages in emails, that's a problem – because as far as the software is concerned, there's nothing nefarious to detect, and it's just another email from your boss or your colleague. 

And the money isn't stolen by clicking a link or using malware to drain an account – it's transferred by the victim to an account they've been told is legitimate. No wonder it's so hard for people to realise they're making a mistake. 

SEE: Brazen crooks are now posing as cybersecurity companies to trick you into installing malware

But victim blaming isn't the answer and isn't going to help – if anything, it will make the problem worse. 

What's important in the battle against BEC attacks is ensuring that people understand what these attacks are and to have processes in place that can prevent money being transferred.  

It should be explained that it's very unlikely that your boss will email you out of the blue asking for a very urgent transfer to be made with no questions asked. And if you do have concerns, ask a colleague – or even talk to your boss to ask if the request is legitimate or not. It might seem counterintuitive, but it's better to be safe than sorry. 

Businesses should also have procedures in place around financial transactions, particularly large ones. Should a single employee be able to authorise a business transaction valued at tens of thousands of dollars? Probably not.  

Businesses should ensure multiple people have to approve the process – yes, it might mean transferring finances takes a little longer, but it will help ensure that money isn't being sent to scammers and cyber criminals. That business deal can wait a few more minutes. 

Technology can help to a certain extent, but the reality is these attacks exploit human nature. 


ZDNet's Monday Opener is our opening take on the week in tech, written by members of our editorial team. 


Editorial standards