What do you think of when you think of a cybercriminal? Traditionally, it may have been a single hacker from parts unknown, operating in a poorly lit space, working endlessly at a computer to defraud businesses across the world.
If that mental picture was ever accurate, it isn’t today. In 2019, 82% of businesses reported being targeted by Business Email Compromise (BEC) per Strategic Treasurer’s Treasury Fraud & Controls Report. Of those, 14% experienced a loss, with many others hit with ransomware attacks by cybercriminals who are operating like modern, full-fledged businesses. As fraudsters grow in sophistication, and as cybercrime-as-a-service becomes a big, shadowy counterpart to software-as-a-service for criminals, your organization can expect to be targeted by attacks that are increasingly difficult to defend against.
A major part of the problem is how quickly malware and ransomware now evolve. Often, the cybercriminals hitting your organization did not develop the software they’re using, but tweaked it to increase the potential for damage. The level of automation and customization afforded by those solutions let cybercriminals focus on digital fraud at scale and across borders, with an increasing number of international criminal entrepreneurs targeting U.S. businesses of all sizes.
Pair this savvy with their preference for cryptocurrency, which is not tied to a U.S. financial institution and the controls and security that implies, and it’s relatively easy for a fraudster to get in and get out with a substantial sum of money. That’s especially true in cases of ransomware, where the tools necessary to defraud businesses can be purchased inexpensively and the average paid ransom has skyrocketed to over $84,000, according to Strategic Treasurer’s Report. Given that fraudsters can delete or even expose sensitive files once they have access to your system if your business does not pay the ransom, the average cost doesn’t begin to tell the story.
Increased automation of attacks and fast changing strategies are now the norm, be it taking advantage of phishing attempts offered by situations going on in the world or new zero-day cyberattacks. How can businesses like yours effectively counter cybercrime-as-a-service as it grows and mutates? There are some common-sense measures that can make a major difference:
- Ensure all outside emails are flagged. Fraudsters have gotten very good at masking emails by copying emails exactly save a capital I instead of a lowercase L or a g instead of a q, making it difficult to spot the difference for busy employees. Enabling all outside emails to be flagged as such in your organization’s email system can be an easy-to-roll out bulwark against fraudsters impersonating internal employees.
- Don’t neglect the human element. You can take concrete steps to reduce your fraud exposure and still have an unsuspecting employee make an honest mistake that costs your business millions of dollars. Training, either at scale with online classes, or webinars and conferences are all great ways to ensure that employees make the right decisions when they receive a suspicious message or call. They also keep the workday interesting and promote a strong security culture across teams. Employees should always feel empowered to make a follow-up call to the person asking them for account details or wired payments to verify legitimacy, and they should never be afraid to report suspicious behavior to the larger organization.
- Find the right fraud-prevention partner. There is no single “silver bullet” provider out there to secure your email, block viruses and malware, protect your payments, and maintain your reputation. There are providers that specialize in these specific areas that creates the blend you need that fits your business model. The one thing you can control is security patching and ensuring everything in your organization is consistently updated to protect against rapidly changing malware attacks.
Ultimately, you need a partner that is constantly learning more about the bad guys, devising new ways to keep them out of your critical infrastructure, and using threat intelligence and attack vectors it sees in one member of its client base to then proactively protect everyone else they service. None of this is a part-time job, and it has be top of mind to ensure long term business success. With cybercriminals leveraging the software-as-a-service model for their own nefarious ends, this is the time to ensure your defenses are ready.