You receive an email from the CEO asking for several W-2s and urgently spring into action. After all, it’s the CEO, right?
Hold on: This might just cost your company millions of dollars, let alone your job. These days, cybercrime is less about hacking into servers and more about preying upon human behavior. So what happens when cybercriminals target our human resources processes and executive approval chains by impersonating a CEO or CFO?
The answer is business email compromise (BEC), currently one of the fastest growing cybercrime categories. According to the FBI’s Internet Crime Complaint Center (IC3) losses from BEC scams totaled $675 million in 2017, up from $360 million the year prior. This represents a stunning 87% growth in just one year. In July 2018, the FBI also reported that BEC and email account compromise (EAC) attacks accounted for losses of $12.5 billion globally between October 2013 and May 2018. Because of the sensitive data HR oversees, it has become a primary target for this type of attack.
Last year, just one cybercriminal netted $100 million from two large tech firms simply by sending emails posing as a vendor. Databreaches.net also reports more than 200 organizations fell for W-2 email phishing scams in 2017 — and that only accounts for reported thefts. Proofpoint, the cybersecurity company where I lead HR, reported that in the first three months of 2018 email fraud attacks hit more than 90% of organizations.
How Does BEC Work?
BEC attacks are well-crafted emails that often impersonate senior leadership (or a third-party vendor) and trick employees into wiring money or sending sensitive data to a cybercriminal. Unlike spam, these messages are tailored to specific users who are researched through LinkedIn and other social media platforms. Because thieves are putting in this level of reconnaissance, these messages have much higher open rates than spam.
They feature a sender email address that displays an address matching your internal email address (or perhaps one character off). Unlike traditional cyberattacks, BEC emails contain no malicious links or attachments that might normally flag security software, which makes detection more difficult. Below is an example of a W-2 email scam attempt:
Here is an example of a wire fraud attempt:
What We Know About BEC Attacks
In addition to leading a global HR team, I also have the privilege of working for one of the most advanced cybersecurity teams in the world. Because of this, I’ve had a front row seat to this increasingly urgent issue for HR professionals. We've found that an organization's size has no bearing on the volume of BEC attacks: Large companies are attractive targets due to their sizable bank accounts and greater organizational complexity. Smaller companies lack equivalent windfalls, but also have less established security protocols.
As for the messages themselves, in Q1 2018 about 27% displayed fake email addresses purporting to be from the company being targeted. Seventy percent of organizations targeted were hit with this type of fraudulent attack. Because cybercriminals have researched your company’s email structure, BEC emails will look credible at first glance.
Finally, beware of emails that create a sense of urgency. Our research team also found the top three most common subject lines feature the words “Payment,” “Request,” and “Urgent.”
Three Ways To Stop BEC Emails
Fortunately, there are steps every HR department can take right now to diminish the chances of falling victim to a BEC attack.
1. Partner with your IT/cybersecurity department.
Meet with your IT security lead to discuss the issue. Ask if they have seen the threat hit your organization and what your team should do in the event they spot a BEC attack, and establish how to collaborate to defeat any attempts. Ask for quarterly or semi-annual cybersecurity awareness training for your HR department on this and other potential email attacks.
If you don’t have a dedicated security team, contact your IT support to create a partnership.
2. Establish an official policy.
As HR professionals, we need to keep current with these attacks and, more importantly, maintain an open dialogue with leadership. I recommend creating a formal BEC incident response policy.
Draft a document that outlines what authorized team members must do when sending sensitive information (W-2s, contact details, social security numbers, etc.).
• Check email addresses and account numbers to confirm legitimacy.
• Review the email. Are the tone and request consistent with how the company operates?
• Confirm with the executive that he/she did in fact make the request in question.
• Deploy two-factor authentication whenever offered.
• Work with IT to establish an alias to send suspicious emails.
Call a meeting with executives and have your IT security team explain the threat and how you are proactively tackling the issue. Come armed with recent examples, including the $100 million dollar theft and W-2 confidential data loss research. You can also provide the FBI’s 2018 warning detailing billions in global losses.
3. Encourage employees to question executive requests.
Most importantly, use common sense. Is sending W-2s really something this CEO would ask me to do? Does the display name match the email address? Confirm such requests with the executives themselves.
Because of the sensitive data we oversee, HR professionals will continue to be a primary BEC target. I strongly recommend you implement the above tips to ensure your organization, employees and brand stay safe and out of the headlines.
