There has been a sharp increase in business email compromise (BEC) attacks and most victims work in organizations that were not using multi-factor authentication (MFA) to secure their accounts.
BEC attacks are one of the most lucrative forms of cybercrime: according to the FBI, total combined losses exceed $43 billion, with attacks reported in at least 177 countries.
These attacks are relatively simple for cybercriminals to perform – all they need is access to an email account and a bit of patience as they attempt to trick victims into making money transfers under false presences. This usually involves sending messages to employees, allegedly from their boss or a colleague, suggesting that a payment – often very large – must be made quickly in order to secure an important business transaction.
Also: The biggest cybercrime threat is also the one no one wants to talk about
More advanced BEC attacks hijack a corporate account and use a legitimate email address to request payment.
Scammers have even been known to monitor inboxes for long periods of time, choosing to strike only when an actual business transaction is about to occur – at which point they step in and direct payment to their own account.
With money to be made this way, cybercriminals are increasingly turning to BEC campaigns and businesses are falling victim. According to cybersecurity analysts Arctic Wolf, the number of BEC attacks they responded to doubled between January-March and April-June – and these attacks accounted for more than a third of all incidents investigated.
There was a common theme among many victims: According to incident responders, 80% of organizations that suffered BEC attacks did not have MFA in place.
Multi-factor authentication provides an additional layer of security for email accounts and cloud application suites, requiring the user to verify that it was they who logged into the account, helping to protect against intrusions unauthorized – even if the attacker has the correct username and password.
Organizations that ignore MFA expose themselves to BEC campaigns and other cyberattacks, despite repeated recommendations from cybersecurity agencies that it should be enforced. So why aren’t they using it?
“MFA requires careful planning and coordination for successful implementation, ensuring organizations can continue to operate without disruption. Since users need training on using the MFA system, this can be difficult for some organizations,” said Adrian Korn, threat intelligence research manager. at Arctic Wolf Labs, told ZDNET.
“Additionally, setting up and testing a new MFA deployment in an organization can place a heavy load on already overstretched IT departments,” he added.
Also: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats
Despite these potential constraints, applying MFA to all user accounts is one of the most important things companies can do to help protect their employees and network from cyberattacks, if configured correctly. .
“Organizations should plan their MFA deployments well in advance to account for any technical issues they may encounter. Additionally, organizations should take the time to ensure that MFA configurations are tested before peak hours. and that users are well trained in using the new MFA platform of choice,” Korn said.
There are different methods that organizations can use to provide staff with MFA. One of the most common is to use identity and access management software or authentication apps to help manage account security by requiring login attempts to be verified using an alert sent to smartphone mobile app. It is only after the acceptance of the push alert or the code that the user will be able to log in to his account.
Another way to provide users with MFA is to provide them with a hardware key that must be plugged into the device used to log into the account before they can access it.
But while MFA helps prevent cyberattacks, it isn’t foolproof, and determined cybercriminals are finding ways around it.
With BEC attacks using social engineering to trick people into thinking they’re doing the right thing, it’s also important for organizations to train their employees to detect when a request – even if it comes from a legitimate account – might be suspicious.
“Users should be trained to recognize suspicious financial requests. If something goes wrong, users should heed that instinct and investigate further. Urgent financial requests should be validated by additional means before finalizing major transactions” , Korn said.