Why are ASX-200 firms still vulnerable to email fraud?
According to Proofpoint’s 2022 State of the Phish Report, 78% of ASX 200 (Australian Stock Exchange top 200) companies are vulnerable to Business Email Compromise (BEC), leaving customers, partners and employees at risk of cyberattack. The report said that these companies have not implemented the recommended level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which prevents cybercriminals from spoofing organisations’ identities and reduces the risk of BEC.
Another recent research study from KnowBe4 found Asia Pacific IT decision-makers are complacent about risks to their businesses from phishing and BEC. Only 45 per cent said they are concerned about phishing as a risk to their organisations, while even fewer (34 per cent) are concerned about BEC.
Phishing via email continues to be the number one threat vector for cybercriminals and as some of the most recognisable brands in Australia, ASX 200 companies are and have been obvious targets for BEC attacks in recent years.
What is Business Email Compromise (BEC)?
BEC is a form of targeted phishing via email, where cybercriminals target companies and try and scam them out of money or goods. They also target employees directly and try and trick them into revealing important business information. The perpetrators use emails to pretend to be business representatives. They also use the compromised email accounts of employees to pretend to be from the organisation.
Another technique used by cybercriminals is to impersonate the CEO of a company and request an employee transfers funds to them for a variety of reasons, such as to purchase gift cards as a surprise for other staff.
In a recent development, internet criminals have been hijacking YouTube accounts and then uploading “deepfake” videos of company leaders like Elon Musk to promote bogus cryptocurrency giveaways, according to this report by the BBC, YouTube has been accused of not doing enough to tackle these types of scams.
In 2021, a report by the Australian Cyber Security Centre (ACSC) said BEC was a growing concern to Australian firms, with the average loss per BEC attack reaching $50,600. BEC losses are now 150% higher than in 2020 and the ACSC recommends that this needs to be addressed urgently by all ASX 200 companies, as well as smaller businesses.
Why is email security so important?
If a cybercriminal gains unauthorised access to or impersonates a business’ email system, they can intercept or gain access to their sensitive business information and the business may suffer identity theft and data loss. With access to email accounts, a cybercriminal can use those accounts to launch ransomware attacks, commit fraud, blackmail and access online banking and social media accounts.
Email account hacking and impersonation are standard delivery methods for cyber criminals to send fake invoices or malicious attachments containing malware and ransomware or they will send emails impersonating the head of that organisation to commit what’s called CEO fraud.
What is the solution to prevent Business Email Compromise?
The clear solution is to prevent identity compromise and the best way to do that is by implementing phishing-resistant "modern authentication", which works with the Fast Identity Online version two (FIDO2) authentication protocol. This requires the user's physical presence and proof of possession to gain access or log into company email accounts and will significantly reduce the attacker’s ability to intercept or spoof any email accounts.
Implementing any level of Multi-Factor Authentication (MFA) is better than none, but not all MFA is created equal. Using modern, phishing-resistant authentication like a hardware security key with the FIDO2 protocol is the recommended approach. Security keys do not require a network connection, don't need battery power, and don't store data, making them an ideal option for strong phishing-resistant authentication. Hardware security keys also provide a better user experience than the legacy mobile device-based authentication methods because users can simply log in with a single touch or tap on the security key.
The increase in BEC attacks highlights the fundamental shift required in the approach to email security and why all companies should immediately implement modern phishing-resistant MFA as a priority in 2022. In addition, since most BEC attacks could be prevented with better employee awareness of the risks associated with clicking on links in emails, it is important to remind all organisations that technology is no substitute for regular user training.
The recommended approach to BEC
As the number of successful BEC attacks continues to rise in Australia, equipping employees with the knowledge and tools necessary to protect themselves and critical organisational information remains paramount and must be a high priority.
All ASX 200 organisations rely heavily on email to carry out business between suppliers and vendors, employees, customers and partners and therefore the risk of Business Email Compromise (BEC) and the consequential brand damage is high. However, these high-profile organisations are underperforming when it comes to adopting people-centric cybersecurity solutions necessary to prevent adverse outcomes and reduce the risk of employee-activated attacks.
It’s high time all private businesses take steps to reduce their risk to BEC. Secure hardware-based phishing resistant authentication will protect businesses and their employees from phishing attacks designed to cost their business dearly. This is a real opportunity for all ASX-200 companies to take a leadership position and proactively tighten their authentication processes and demonstrate to the smaller businesses that they deal with that it is a really serious issue.