How to Stay Safe with Business Email Compromise on the Rise

According to a report by the Financial Crimes Enforcement Network (FinCEN) released in July, financial institutions have incurred more than $9 billion in losses due to Business Email Compromise (BEC) schemes since 2016. With such staggering losses, businesses and even individuals can’t afford to ignore BEC attacks.

What is BEC?

BEC fraud involves cyber thieves posing as company executives or a business contact with the intention to commit wire transfer fraud or obtain sensitive information. The main targets are businesses working with foreign suppliers or a business that carries out regular wire-transfer payments.

To carry out this attack, criminals might pretend to be the company CEO and request that a junior staff member perform a task for them, such as transferring funds. Attackers take advantage of the fact that most organizations don’t have a set procedure to verify instructions received from the top management.

How Attackers Collect Data from their Targets

Cyber criminals use various techniques to carry out BEC fraud, with the main aim of stealing funds from the victims. The techniques used include:

  • Imposter techniques – this can be carried out in various ways. Attackers use a look-alike domain, display-name deception and spoofed emails that appear to come from legitimate addresses.
  • Social engineering – when a target has not set appropriate privacy settings on social media accounts, an attacker can easily collect information that will make their requests sound legitimate.
  • Malware – this enables attackers to have access to sensitive information that makes the fake request sound legitimate.
  • Mining from the Dark Web – here attackers can obtain stolen credentials.

How to Avoid BEC Attacks

It is difficult for conventional security systems to detect BEC schemes. Consider a case in which a transaction is initiated willingly by a legitimate user in response to a request from a legitimate source. Such an email has no payloads such as malicious attachments that can be blocked.

Here are some methods to help reduce the possibility of these attacks:

  • Raising awareness of common attack scenarios or tactics used by the cyber criminals, such as a false domain name that looks almost like the original one, impersonation of a vendor, false sense of urgency or a request for secrecy.
  • Training employees on cyber security risks and implications.
  • Implementing email authentication protocols like Domain-Based Message  Authentication, Reporting and Conformance (DMARC) and email authentication, such as DomainKeys Identified Mail (DKIM).
  • Using layered defense, such as encryption, and virtual private networks.
  • Implementing a multifactor authentication that will introduce a secondary authorization control. This will help stop attackers even when they have access to the target’s credentials.
  • Establishing communication protocols that will allow for a follow-up. For instance, if the person is requesting financial transactions, an employee should call to ascertain the request.
  • Scrutinizing all emails that request for fund transfer.
  • Monitoring incoming email, especially those that use VIP names.
  • Optimizing accounting systems and controls.

Final Thoughts

Apart from taking precautionary measures, businesses also should make sure that their insurance specifically covers BEC attacks, as courts might have different interpretations of policies. Consider the case of Apache Corporation, which lost $7million due to a BEC attack. The judge ruled that since the money was sent to pay a legitimate invoice to the wrong bank, it was not covered by their insurance policy.

Note that a majority of these criminals are from countries that might not have strict laws on cybercrime, making it difficult to have them prosecuted.

So, whether you run a small, medium or large business, or even a personal account, it’s vital that you take precautionary measures against the increasing BEC schemes.

What is VPN and Why Do You Need It?

The rise in the number of data breaches reported every other day has become a major concern – even to the ordinary internet user. As a result, we have all become aware of the need to maintain privacy while online. One of the measures promising to keep you safe on the internet is the use of a virtual private network (VPN). But before rushing to install one of the many VPNs available, it’s important to understand what a VPN is, why you need it, if it is foolproof and other ways to stay safe on the internet.

What is a VPN?

The VPN service lets you browse the internet privately by masking your IP address – the unique address identifying your device on the web. It also encrypts your internet traffic as it passes through a secure tunnel created from your device to a remote server. Your data appears to be coming from the remote server. This means that a VPN can hide your geographical location, personal data, web browsing history, spending habits and mobile phone activities.

Initially, VPNs were built for business environments to help a business operate a secure network connection. But with today’s cyber security concerns, they have become popular and more widespread.

Why Would You Need to Use a VPN?

There are numerous reasons why a person would need to enlist the services of a VPN company. Here are some situations that require the use of a VPN:

  • Since Congress cleared the way for ISPs to sell users’ browsing history without their consent, privacy is a thing of the past. This means that an internet service provider can sell your browsing data to third parties. A VPN can mask your IP address from your service provider.
  • The encryption offered by VPNs guards against digital threats, hacking, malware attacks and identify theft.
  • VPNs help keep hackers and marketers from tracking your movement online.
  • If you travel to a country where you can’t access some sites, for instance in China where Facebook is not allowed, a VPN will help you stay in touch on any of these blocked sites.
  • When using public Wi-Fi in airports or any other place that offers free Wi-Fi, a VPN comes in handy.
  • Employers who have workers going out for field work or working remotely can set up a VPN to help access company networks securely.
  • Used by whistleblowers, law enforcement agencies, investigative journalists and others who want to shield their identities or location.
  • For user with Voice over IP (VOIP) for making calls, a VPN will help prevent your phone conversations from being tracked or intercepted.
  • When you need to visit questionable websites but want to be safe. For instance, when your identity is stolen and you want to find the website selling your data.

The Bad Side of Using a VPN

Although a VPN service may sound perfect for internet security, it also has some disadvantages. Keep in mind that your internet service provider may no longer have your data, but the VPN provider now has access to it.

A VPN is not 100 percent guaranteed. The VPN provider could be disconnected or there could be a Domain Name Server (DNS) leak. Even with advanced features such as kill switch, VPN data can still leak through software, hardware or other means.

If you fail to use the right VPN, you’ll be in more problems than you are running from. Some VPNs (especially the free services) keep log files. There is no telling where your private data will end up. They could end up selling your data to third parties or supplying your information to the government.

These services also slow down your internet access speed due to the process of data encryption and tunneling network traffic to a remote server that is used to connect you to the internet.

It is not possible to know if the VPN provider commits to what they promise. The only way to find out is when things go wrong. They may promise not to keep logs, but if you fail to read the privacy policy of a VPN company, you will not know if they retain customer data.

A VPN doesn’t protect you from viruses and malware.

Other Security Measures

Since a VPN is not foolproof, it is important that you also observe other security measures to protect your privacy.

It is crucial that you practice digital privacy hygiene. In other words, when online you should limit the amount of personal information that you share. This will help minimize your digital footprint.

Investing in quality antivirus software will protect your device from malware and viruses.

Regularly check if your data has been compromised. Check for strange activity in your emails, social media accounts and even in your bank account.

Use strong passwords or other security features such as biometrics to secure your accounts.

Final Word

You may come across many different types of products and services that promise to keep you safe on the internet. The bottom line is, it’s up to you to protect yourself. A combination of several security measures is a good starting point – the use of a VPN, strong passwords and antivirus programs.

The Rise of Biometrics Security and Why You Should Take Precaution

Biometric technology has been on the rise as it promises to make the authentication process more secure and convenient. Unlike passwords and key cards, biometrics are something you will always have, can’t share and can’t forget. This makes the biometric approach convenient and at the same time it has lower password management costs.

Biometrics also are said to be difficult to steal or hack; difficult, but not impossible.

Any technology can have loopholes that can be exploited, and that’s why you need to understand it well and take precautions if you decide to use this approach.

The use of biometrics is not new, but its increased presence in the public domain such as banks makes it a topic of interest.

To help us understand the need to tread carefully, let’s first have a peek at the latest biometric security technologies.

New Trends in Biometric Security

Biometric authentication is becoming popular for digital payments, logging in to banking systems and even on smartphones. New trends in biometrics security include:

  • Voice recognition: the human voice is used to create voice prints to be used for user authentication in a voice ID system. 
  • Face recognition: 3D face recognition is another new development that uses sensors to identify the shape of a person’s face. This is done by using facial characteristics such as the nose, cheeks, chin and contours of the eye sockets. 
  • Mobile biometric technology: mobile devices also have joined the bandwagon, and manufacturers are now fitting them with biometric sensors. It is also possible to attach portable biometric-sensing equipment using a USB cable.
  • Biometrics on the cloud: cloud-based solutions have been developed to speed up the identification process. Since users don’t have to spend so much on necessary applications, hardware and infrastructure, this becomes cost effective.

How Secure is the Biometric Approach?

Biometric security is increasingly being used as a preference to passwords, but how safe is this approach? Fingerprints may not be as secure as they are said to be. Consider this, some researchers were actually able to generate fake fingerprints that they called DeepMasterPrints. These fingerprints were generated using a neural network technique to create artificial fingerprints that can work as a “master key.” This goes to show how a system using fingerprints for security can be vulnerable to dictionary attacks using the created MasterPrints.  

There are many people posting their pictures online on social media. Unfortunately, once you do that your images are no longer private. This means that a face can easily be captured from the internet.

Retina scans are considered extremely reliable and accurate more than the iris scan. However, it is the least common as it’s considered to be intrusive.  

Reservations

The use of biometrics is a great development toward security concerns, but it raises privacy issues. Keep in mind that biometric information can easily be harvested – from a distance and without your knowledge. The cloud also is another reason to be concerned. Although biometrics are effective in enforcing security, the data collected has to be stored somewhere. How secure are the databases that store this information? Of course, this increases the possibilities of a breach.

Some reports made public include a potential hack for the palm vein scanner and a claim by a research team at vpnMentor about a leak of millions of fingerprints from BioStar 2, an app built by Suprema. Whether this and other similar claims are true or not, it just goes to show how vulnerable biometrics data can be. It also won’t be long before marketplaces emerge on the Dark Web for actual biometrics.

Remember that unlike passwords, you can’t change your biometrics. If someone had access to a biometrics database, then they would have access to sensitive data.

Another reservation involves the right to privacy for your biometrics. It’s possible for your biometrics to be collected without your informed consent. For instance, in stores where face recognition is used to identify potential shoplifters or to survey shoppers’ behavior. Recently, the FaceApp Challenge created by a Russian company had its share of controversy. Although said to be purely for entertainment, it also means that no one has control over what the company collecting the data will do with it. 

Businesses face the potential risk of getting sued by their own employees. This is because there are some locations that already have a biometric privacy act law. In the United States, the Illinois Biometric Information Privacy Act (BIPA) allows users to sue under this law to protect their privacy.

Stay Safe

Since cyber criminals are always working on hacking new security systems, it’s crucial that users of these systems remain cautious. One of the ways to stay safe when using biometrics is the use of multi-modal authentication, which requires input from more than one biometric device. This will help overcome some loopholes, such as the use of copied fingerprints or stolen voice and facial prints.

Luckily, with advances in artificial intelligence and machine learning, biometrics can be enhanced. Users can be scrutinized using their online behavior. Since people tend to be creatures of habit, a behavior-based system can develop a more complex user profile. The tracked behavior will help to tell a genuine user from a potential threat.

Since it’s difficult to know if your biometrics have been stolen, it’s best to take precautionary measures that could include:

  • Avoiding unnecessarily sharing personal information, such as the bank account numbers, date of birth or Social Security number
  • Paying close attention to your bills and financial statements
  • Watching out for unauthorized transactions by reviewing your credit card and bank statements.
  • Using other security features on your mobile device.
  • Avoiding using public WiFi. It is also important that you keep your sharing and firewall settings updated.

In Conclusion

The biometric authentication is not a silver bullet. Technically, biometrics are not secret and have similar cyber risks as passwords, only they are exploited differently. Whenever a new technology becomes pervasive, there are individuals who will definitely try to figure it out –especially because these technologies are used to access financial services and private data.

In the digital world, we cannot assume complete security. The best you can do is work with known credible vendors and stick with providers who comply with both federal and state data privacy regulations. Lastly, use technologies that are tried and tested.