PwC warns against rising BEC as ransomware menace hits 2370%
BEC, it explained, aimed to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.
Phisher is someone who tries to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organisation, usually a financial institution, but contains a link to a fake website that replicates the real one.
Speaking at a Cybersecurity Breakfast Meeting in Lagos, with the theme: ‘Cybersecurity and Resilience in the Energy and Utilities Sector’, Partner, Digital Risk & Cybersecurity at PwC, Wunmi Adetokunbo-Ajayi, noted that BEC menace was fast rising and required urgent attention.
Adetokunbo-Ajayi, who disclosed that that BEC was a form of email spoofing, noted that globally the menace would cost businesses by the end of the year, $9 billion in losses, adding: “It moved from $5.3 billion in 2017 to $9 billion by end of this year.
We might not know the extent of the damage until the FBI releases its reports on it.”
According to her, the damage is growing and requires urgent attention to curb it. She stressed that it’s a form of Ransomware, though getting the attention, but not all the money.
According to her, Ransomware saw 2,370 per cent growth rate in the last two years, where people, organization lost $5.3 billion since 2013 and 40,000 incidents were reported between October 2013 and December 2016.
Revealing how BEC works, the PwC Partner, Digital Risk & Cybersecurity expert listed four ways, which include reconnaissance/infection; inspection; transaction hijack and money transfer.
Adetokunbo-Ajayi explained that in reconnaissance, the victim is infected with malware sent in a phishing email and where the malware is able to capture keystrokes, it steals credentials, making it possible to access the victim’s email account.
In terms of inspection, she said the attacker studies the victim’s activities and looks for any emails about business transactions, while in transaction hijack, once the attacker selects a suitable transaction, then enter the email conversation as a “man in the middle” playing the role of the seller or, in some cases, the buyer.
For money transfer, she said this happens when the buyer wires money to a bank account and the attacker has control of it.
Though she said there might not be figures as per Nigeria, but there are cases that can be cited. Some examples listed include in London where two Nigerians were arrested for $1 million scam; 29 people alse arrested in the country, among others.
On what companies should do against BEC, Adetokunbo-Ajayi, said they should establish enhanced fraud detection and analytics; enforcing payment controls; training employees to scrutinize emails; implementing new authentication techniques and deploying threat intelligence.
Earlier at the meeting, Lead, PwC Africa Cybersecurity and Privacy, Kris Budnik, on ‘Building Cyber-resilient Organisations’, listed 10 cybersecurity vulnerabilities in the Oil & Gas Industry, which include lack of cybersecurity awareness and training among employees; remote work during operations and maintenance; use of standard IT products with known vulnerabilities in the production environment; a limited cybersecurity culture among vendors, suppliers and contractors; insufficient separation of data networks.
No comments yet