Avoid Being Hooked by a Phishing Attack

By now, most of us know that a phishing attempt can come in the form of an email, text, direct social media message or even a phone call. But according to the FBI, business email compromise (BEC), also known as email account compromise, is one of the most financially damaging cybercrimes.

Because email is a primary way of conducting both personal and professional business, it’s important to be diligent about phishing threats when using any email account. The good news is there are ways to block the bait and protect yourself, your financial institution, and your accountholders.

Business Email Compromise Scams

BEC phishing emails are created to look like they’re coming from a legitimate organization, trustworthy coworker or acquaintance to trick someone into sharing sensitive personal and financial information that can be used to gain access to personal financial accounts or an organization’s network.

In addition, cybercriminals sometimes gather personal information found on social media and websites to create realistic messages with persuasive subject lines, enticing victims to open the email. Examples of subject lines to look out for include those that contain an alert, an action or a request for information, according to the Cybersecurity & Infrastructure Security Agency.

Before opening a questionable email, keep in mind cybercriminals might use one or a combination of the following methods to carry out a BEC scam:

Spearphishing

A spearphishing attack is an advanced form of phishing that targets a specific person or group within an organization. Spearphishing is an effective form of phishing because it includes research on the intended target and then uses that information to breach a network or for financial gain.

It usually involves email spoofing to appear as if the email was sent from a trusted sender, and then encourages the victim to click a link or respond to an email. Spearphishing is often the top method cybercriminals use to conduct a BEC attack.

Fake Email or Website Spoof

Both fake emails and website spoofs are used to trick victims into sharing personal or sensitive information.

To spot a potential email spoof, look for slight variations in legitimate addresses. For example, adding an extra letter to a coworker’s name might be easy to miss. This is a common BEC tactic used to trick victims into not thinking twice about sharing confidential information. Website spoofing is similar. Scammers create a fraudulent website that mimics a trusted company and uses it to steal information.

Malware

Malware is often spread by opening an email attachment or clicking on a link within an email. Once the malware infects a computer, criminals can steal a victim’s data, including passwords and financial account information.

Malicious software can also infiltrate company networks, allowing cybercriminals access to legitimate email accounts, passwords and more.

Awareness is Key

Protect yourself, your financial institution and your accountholders by being aware of how to spot a potential BEC phishing attack and similar social engineering scams. Please read our blog on social engineering to learn more. And for additional cybersecurity and fraud content, subscribe to our blog.

Resources:

Federal Bureau of Investigation

Cybersecurity & Infrastructure Security Agency