Online Threats Businesses Should Be Aware Of
Internet crimes are on the rise, as are the corresponding financial losses organizations and individuals are suffering as a result. Illegal activities perpetrated via computers, telephones, networks and the Internet commonly exploit victims using a range of techniques, including winning confidence under false pretenses, disrupting operations, corrupting systems and data, accessing sensitive information and otherwise damaging security, privacy and financial health. Worryingly, these crimes are ever-increasing in complexity, dexterity, severity and scope.
The Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3)(https://www.ic3.gov) now receives more than 2,000 Internet crime complaints per day. The FBI division estimates victims lost more than $4 billion in 2020 alone due to such activity.
With such numbers in mind, it pays to familiarize oneself and better educate users and organizations with the common forms such attacks take, as well as the best methods for combatting those dangers. Here’s more information on each of the most common forms of Internet crime.
Business Email Compromise / Email Account Compromise
Business Email Compromise (BEC) is a technique whereby malicious actors use fraudulent email messages to trick a business user or employee into revealing sensitive financial information or even transferring funds via a transaction the victim believes to be necessary and legitimate. This advanced form of Internet crime relies upon social engineering or computer intrusion techniques to succeed and often proves effective and lucrative for the malicious actors.
The same technique can also target individuals. In such cases, the exploit is referred to as Email Account Compromise (EAC).
In 2021, the FBI’s IC3 office received 19,954 BEC and EAC complaints. The financial losses arising from those incidents are estimated at approximately $2.4 billion.
Multiple protections are available to help prevent email compromise efforts from succeeding. Continual user education (also known as security awareness training) is one effective method. Educating users and helping them better identify fraudulent messages and social engineering efforts goes a long way in preventing BEC- and EAC-related crimes.
Another method is advanced threat protection (ATP) technologies that assist in preventing⏤thanks to the employment of contemporary artificial intelligence and machine learning technologies that better assist spotting and arresting malicious actions than traditional solutions⏤the delivery of malicious messages and dangerous attachments to end users’ inboxes and corresponding network proliferation. ATP-powered email filtering technologies also help safeguard email inboxes, while advanced firewall services that detect and prevent malicious intrusions provide an additional layer of protection.
Confidence Fraud and Romance Scams
Two common forms of Internet crimes that typically target individuals, versus businesses, are confidence frauds and romance scams. In such attacks, criminals adopt fraudulent online identities and work to gain a victim’s trust or affection. After establishing a relationship, endearing themselves and gaining trust, criminals then request money under the premise the funds are needed for an emergency, legal reasons, or a similar purpose. Sometimes marriage proposals accompany these scams. Often impersonating family or friends and requiring funds be sent overseas or via cryptocurrency, these criminals often surface a sense of urgency in attempts to rush the victim into making a bad decision.
The FBI’s IC3 division reported 24,299 victims reporting confidence fraud and romance scams in 2021. Total corresponding financial losses reached $956 million.
An effective defense against confidence frauds and romance scams is requesting assistance from family and friends directly, instead of relying upon an intermediary or trusting online communications. Further, individuals should always be suspicious when implausible emergencies are reported and assistance requests include funds being directed overseas or via cryptocurrencies.
Another method for avoiding such crimes is conducting additional research. Searching related questions using a reputable search engine, such as Bing or Google, often immediately surfaces warnings.
Checking the IC3 Consumer Alerts and FBI Scams and Safety websites is another step that can help potential victims determine whether they are the target of a scam. Such searches also pay dividends by presenting more and actionable information as to how to protect oneself and avoid becoming a victim within the applicable situation.
Elder Fraud
Senior citizens already battle challenges learning and familiarizing themselves with new technologies, as members of this class typically don’t benefit from a lifetime of experience working with computers, applications, email and the Internet. Unfortunately, as such, those over 60 are particularly vulnerable to financial frauds perpetrated via the Internet, especially considering the group serves as an attractive target due to its having accumulated greater wealth than younger, more technologically savvy targets.
Senior populations often form a significant percentage of victims falling prey to tech support fraud (23,903 complaints totaling $347 million in 2021, according to the IEC). The elderly also fall victim to confidence schemes (24,299 victims for which $956 million in losses were reported in 2021), so much so that these crimes are often called grandparent scams.
The best methods of protecting against elder fraud are user training and education, backed by locally installed advanced endpoint security protections. Employing advanced threat protection software that helps guard against social engineering efforts, phishing attacks and similar cyber threats helps protect this vulnerable population from criminal Internet-related exploitation.
Phishing
Phishing is a common but effective form of social engineering. In phishing attacks, a malicious actor sends a fraudulent email message to an intended victim with the goal of tricking the target into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor.
Due to their similarity, the FBI’s IC3 office collects phishing, vishing and smishing crime statistics within the same category. In 2021, IC3 reported receiving 323,972 such complaints, with corresponding financial losses reaching $44.2 million. Because many such events go unreported, however, those numbers are assuredly much higher.
Several defenses help protect against phishing efforts. Firms should begin by educating and continually reminding users to be wary of messages, emails and telephone calls requesting electronic payments. Proper workflows with multiple checks and balances help eliminate such threats, but users must be taught and reminded to resist working outside those standard procedures, even when a supposed senior employee is requesting emergency payments.
Firms should also remind users to never click on email attachments they weren’t expecting or that appear suspicious. Further, deploying advanced threat protection endpoint software, using advanced email filtering software and employing sophisticated firewall security services are additional fundamental protections that should be in place to help prevent such threats from entering or propagating within an organization.
Ransomware
A particularly insidious form of malware in which a victim’s computer, data, network files and backups can become encrypted and rendered unusable, ransomware works by spreading throughout an organization encrypting files and, subsequently, disrupting operations until the corrupted systems are decrypted or repaired. Because ransomware attacks leverage highly sophisticated encryption, it’s often impossible to repair corrupted files, a fact the criminals responsible for the attack leverage when demanding a ransom payment (often using untraceable cryptocurrency).
Even when paying the ransom, estimated to average $6 million in the US, there’s no guarantee the organization’s data and operations will recover. Hackers don’t always provide the required decryption key organizations hoped to receive by making the corresponding ransom payment, and sometimes files fail to decrypt properly, leaving stricken organizations dead in the water. Subsequently, as a matter of policy, the FBI recommends against making these ransom payments.
Whereas businesses often battle ransomware infections privately and on occasion rely upon cyber insurance policies to independently recover operations, some individuals and organizations report ransomware infections to IC3. In 2021, the office received 3,729 such complaints, for which adjusted financial losses totaled $49.2 million. Other reputable estimates, however, place the financial cost of ransomware attacks in 2021 as high as $6 trillion.
Multi-layered defenses are required to properly guard against spyware infections. Skipping just one of the recommended elements leaves an organization vulnerable.
Permissions throughout the organization should be locked down according to least-privilege principles. Firms should require multifactor authentication be enabled for all supported applications and platforms, as the move further assists in locking networks down and defending against ransomware infections.
Centrally managed endpoint protection software⏤preferably a solution leveraging advanced threat protection capabilities⏤should be loaded and monitored on all devices, while firewall security services should be in place, continually updated and monitored for proper operation. And all unnecessary firewall ports should be closed and those left open should be locked down to specific originating IP addresses, when possible, and be closely monitored.
Continual user education and training is another important element. Such security awareness training demonstrably assists in reducing ransomware infections.
Operating systems, software applications and network firmware should continually be updated, too. Criminal malware continually checks networks and systems for unpatched vulnerabilities, so closing known holes reduces active threat surfaces, thereby making it harder for ransomware attacks to gain a foothold and proceed.
Understanding ransomware perpetrators are increasingly refining their efforts, including by adopting artificial intelligence and machine learning technologies within their own nefarious tools, organizations should also implement a business continuity and disaster planning (BCDR) backup solution capable of recovering corrupted files and restoring proper operation, even automatically. Should an organization require, such recovery capabilities can prove critical.
Smishing
A form of social engineering in which a malicious actor sends a fraudulent text message to an intended victim, the goal of a smishing attack is tricking the target into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor.
Due to their similarity, IC3 collects phishing, vishing and smishing crimes within the same category. In 2021, the office reported receiving 323,972 complaints, with corresponding financial losses reaching $44.2 million. Those numbers, of course, include only the totals for the actual cases that were reported.
The best protections against smishing are similar to phishing’s. Investing in continual user training and education, implementing and enforcing standard processes and employing advanced threat protection endpoint software (particularly those adept at securing mobile devices) are all leading defenses against smishing attacks.
Social Engineering
Social engineering crimes are fraudulent behaviors that rely upon people’s goodwill nature. Malicious actors employ these techniques in attempts to manipulate and trick a victim into performing actions or revealing information that assists the criminal in compromising or exploiting the victim’s computer, account, network or systems.
Social engineering practices and techniques are used in a number of Internet crimes, from planting ransomware to assisting vishing efforts to supporting business email compromise attempts. To better understand the scale at which social engineering impacts complaints and financial losses, organizations must consider the hundreds of thousands of related incidents and billions of dollars lost due to attacks that succeed because of social engineering efforts. Social engineering weaknesses are, subsequently, among the greatest threats individual users, small and medium-sized businesses and enterprise organizations battle today, whether they realize the fact or not.
Continual security awareness training is among the best options for protecting against social engineering attacks. Advanced threat protection technologies⏤including advanced endpoint platforms that use artificial intelligence and machine learning technologies to assist spotting and arresting social engineering attacks⏤are another useful component protecting organizations properly against such threats, as are email filtering solutions and advanced firewall security services.
Spear Phishing
Spear phishing is an especially targeted form of social engineering. In such attacks, a malicious actor sends a fraudulent email message with the goal of tricking the victim into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor by making the victim believe the information being shared or instructions being provided is from a known, trusted contact.
Due to their similarity, IC3 collects phishing, vishing and smishing crimes within the same category. In 2021, the office reported receiving 323,972 complaints, with corresponding financial losses reaching $44.2 million. Because many organizations don’t report such incidents and sometimes work independently to arrest any resulting issues and perform whatever recovery work proves necessary, the number of such incidents, and the corresponding dollar losses, are certainly much higher.
Just as with phishing and smishing, multiple protections working together provide an effective spear phishing defense. Organizations should educate users, implement and enforce effective operations workflows and employ advanced threat protection endpoint software and firewall services, not to mention advanced firewall filtering solutions.
Tech Support Fraud
Tech support fraud occurs when criminals pose as remote technical support representatives seeking to assist the victim with resolving a variety of supposed problems. Such attacks purport to address late utility payments, a computer virus, bank account issues, email errors or similar problems. Victims, who often skew older, are usually directed to make corresponding fraudulent payments by purchasing prepaid credit cards or wiring funds to the fake representative. Occasionally cryptocurrency payments are requested.
In 2021, IC3 reported receiving 23,903 such complaints. Corresponding financial losses totaled $347 million, a 137-percent increase from just one year before.
Effective defenses include not responding to reports of suspicious problems or trouble, such as with electric utility companies, when payments are known to have completed properly. When unsure or working to determine whether a provider is indeed who they say they are, never provide sensitive information (including account numbers or passwords) over the phone, via text or instant message or online. Instead, contact the provider using the information provided on an official bill or statement or on the provider’s website. But even then care must be taken to ensure the potential victim isn’t viewing an imposter or compromised site. Whenever in doubt, soliciting the assistance of a trusted third party (such as a family member, neighbor, friend or coworker) can help.
Vishing
When a vishing attack occurs, a criminal doubles up on social engineering efforts by adding a telephone call to assist tricking the victim into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor. By combining Internet or organization research, potentially an email or instant message and a phone call or voice mail message, malicious actors try convincing the intended victim the information or an action being requested, or instructions being provided, are actually coming from a known and authorized trusted contact.
IC3 collects phishing, vishing and smishing crimes within the same category, since these forms of attacks are so similar to one another. In 2021, the office reported receiving 323,972 complaints, with corresponding financial losses reaching $44.2 million. But unreported losses certainly drive the real total much higher.
Just as with phishing and spear phishing threats, multiple defenses better position an organization to defend against such vulnerabilities. Organizations should educate users, implement and enforce effective operations workflows and employ advanced threat protection endpoint software and firewall services. Official corporate policies educating and enforcing social behaviors and workflows are yet another element that can assist reducing the threat vishing efforts pose.
Need more information?
Both the FBI and its IC3 division maintain a wealth of Internet crime-related information. Two additional cybersecurity resources are the United States Department of Homeland Security and the Cybersecurity & Infrastructure Security Agency (CISA).
These organizations continually publish updated news, information and guidance to assist protecting individuals and businesses from cyber attacks, fraudulent behavior and other forms of Internet crime.
Still have questions? Contact Louisville Geek at 502-897-7577 or email [email protected].