Humans remain weak link in fight against email scamsPosted On: Mar. 3, 2020 7:05 AM CST
Drilling employees on cyber security is key to preventing fraud, but such programs are still overlooked at many companies, experts say.
FBI data and recent incidents show that companies remain susceptible to phishing scams where officials are deceived into transferring funds to criminals or other incorrect accounts.
While such schemes have been used for years, they are often still successful, and preventative training and awareness programs remain vital, experts say.
There were 467,361 complaints of suspected internet crime in 2019, with reported losses in excess of $3.5 billion, according to the 2019 Internet Crime Report from the FBI released Feb. 11. The total included 23,775 business email compromise complaints.
A February court fight over an insurer’s liability for a fraudulent email scheme illustrates how some of the schemes work.
High-ranking officials at a silicon metal manufacturer were tricked into transferring more than $1 million to incorrect accounts. The company received an email with the name of a known employee of a Russian supplier in the “from” line that gave instructions on a new regime for payments. Two payments were made, and the deception was only realized after a call from the supplier saying it had not received its payments.
Email scams are happening “with increasing regularity,” said Edward Chang, second vice president, cyber risk management, bond & specialty insurance at Travelers Cos. Inc. in New York, who is responsible for helping Travelers policyholders manage cyber risks.
“Cyber security training is definitely one of the important steps companies should be taking to prevent this type of thing,” Mr. Chang said.
Training is an important element of cyber resiliency, said Stephen Boyer, co-founder and chief technology officer of Boston-based cyber security firm BitSight.
“You absolutely must be training the humans and make them aware,” he said.
Drilling and testing employees on cyber security can help strengthen companies’ defenses, said Thomas Fuhrman, managing director, cybersecurity consulting and advisory services, for Marsh LLC.
“Even in this day and age, people need to be made aware of this as a risk,” Mr. Fuhrman said. “Training, so they know what to do about it, and drilling,” such as simulated phishing exercises for employees, which can be monitored for key data points like the “click rate” or how many employees fall susceptible to the exercise.
Such exercises can also be used to gain feedback into which departments or individual employees need extra training, he said.
“You have to capture their attention if the message is to have depth and weight, and you have to inform them,” said CJ Dietzman, managing director at Aon PLC’s cyber solutions group in Charlotte, North Carolina.
Attention should also be paid to those departments often targeted by such attacks.
“Raising awareness among the finance department, the accounts payable department, with those employees to whom this type of thing is occurring, can help them to recognize when an email is fraudulent,” said Mr. Chang of Travelers.
In addition, cyber security messaging can be embedded in regular corporate routines such as new employee orientation and at regular meetings of executives such as regional sales conferences, sources said.
“There will always be a limit, however, to the humans’ ability to stop some of these very sophisticated attacks,” Mr. Boyer said, necessitating the use of additional controls.
One example of a specific control that can be put in place is “out of band verification,” such as “making that extra phone call when you receive instructions to change” the bank for a payment,” Mr. Chang said.
“Making that phone call, double checking with your supervisor that the payment should be made, are controls a company can put in place,” he said.