When people think cybercrime, viruses, ransomware, and stolen passwords are usually top of mind.
Yet today’s hackers are increasingly taking a far less technically sophisticated approach to stealing money from university employees. They simply ask for it.
One such attack that is increasing at an alarming rate is called Business Email Compromise (BEC). Variations on BEC attacks are among the roughly 18 million suspicious emails that WSU cyber security efforts intercept and keep out of university employee inboxes each year. But some still get through.
BEC attackers look up information on the university employee they are targeting to make their requests for money more relevant and realistic to the individual. According to the FBI’s Internet Crime Center, there has been a 65% spike in reported BEC incidents in the United States since 2019, costing billions of dollars in losses. These attacks are stoppable and require a different set of defenses that one might not be familiar with. The attack typically follows a specific pattern:
1. Recon
Attackers will gather public information about an organization and/or individual from websites, social media and other sources.
- What you should do:
Be careful of what information is publicly available. Scammers will “name drop” and use personal information to build leverage.
2. Build trust
The attackers will contact the target and use the gathered information to convince the target of their legitimacy.
- What you should do:
Do not click on anything in an unsolicited email or text message. Be wary of anything asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to verify if a request is legitimate.
3. Set the trap
The attackers ask for account information to be given to them or for payment of goods and services (often with a fake invoice to support their request).
- What you should do:
Create a process to inspect invoices, including verifying that goods or services were both ordered and fulfilled before paying.
4. Steal the funds
After successfully rerouting payments to an account they control, the attackers move the money away from the receiving account to prevent reversal of charges or tracking of the funds.
- What you should do:
Be highly suspicious if the requestor is emphasizing urgency.
The threats that organizations face continue to evolve. Employees who suspect an email could be a BEC attack, should report it immediately to abuse@wsu.edu.
