Editors' pick: Originally published March 26.
When you get an email from your boss marked "urgent," rushing to follow through could be more costly than you think.
Enterprising cyber crooks are refining and ramping up their attempts to dupe employees eager to please the boss through bogus emails.
Incidents of "business email compromise" were up 45% from the third quarter of 2016 to the fourth quarter, according to security outfit Proofpoint (PFPT) , which tracked attacks at more than 5,000 enterprise customers between July and December of last year.
Typically, a cyber crook sends an employee a bogus email from the CEO or CFO asking them to wire money to a bogus account for a supplier. Often the message comes from an internet domain that closely, but not exactly, matches the company's real address. To make the email seem realistic, the thieves may forward a faked exchange of messages between the CEO and CFO about the proposed cash transfer.
Fraudsters are testing out new techniques, Proofpoint reports, such as attempting to lure HR departments into disclosing tax information and engineering departments into providing intellectual property.
Attackers also take on the guise of venders or other third parties and submit fake invoices.
While the U.S. government's indictment of Russian security officers and alleged cyber crooks gained more attention, the Department of Justice and FBI said on March 21 that they had orchestrated the arrest of a Lithuanian resident who had tricked a pair of U.S. tech companies into wiring $100 million to fake business accounts.
One of the businesses was a "multinational technology company" and the other a "multinational online social media company," suggesting that even tech-savvy companies can be fooled into major payments.
Even though the playbook is still evolving, BEC attacks are not exactly new. Last June the FBI warned that, at that time, more than 22,000 victims in the U.S. and abroad had been taken for nearly $3.1 billion all together. "This case should serve as a wake-up call to all companies -- even the most sophisticated -- that they too can be victims of phishing attacks by cyber criminals," the law enforcement agencies warned.
While sophisticated companies can be tricked, there are are a few tip-offs that even the least tech-savvy employees can keep in mind.
The word "payment" appeared in the subject line of 30% of the emails. "Request" and "urgent" tied for 21% of cases, while variants of "FYI" and "where are you?" appeared in 5% and 2%, respectively.
Editors' pick: Originally published March 24.