Why Are Business Email Compromise Schemes So Prolific?

Interpol and Nigerian Federal Police recently arrested 11 cyberthieves, undermining one of the largest business email compromise networks in the world. SilverTerrier is known to have attacked thousands of companies globally, reeling in countless millions of dollars through email fraud. A public announcement of the operation was made in mid-January.

Business email compromise (BEC) schemes are the most prevalent form of cyberattack, more so than commonly-reported ransomware. In BEC cases, the fraudster typically hacks a corporate email account to impersonate an employee and encourage rapid transfer of funds for an emergency or unexpected purpose; there are many variations on this theme. The FBI estimates that reported BEC attacks led to about $1.8 billion in financial loses in 2020 across more than 19,000 complaints.

In Nigeria, the effort by law enforcement was a major win in the war against electronic crime. Hacking techniques and other information obtained through this operation may help to counter fraudster groups worldwide. To frame the scope of the Nigerian operation, Interpol estimates that the digital devices confiscated in the raid contained as many as 800,000 email/password combinations.

We wonder why BEC scams continue to grow in sophistication and frequency, despite broad awareness of the problem. Corporations, after all, spend vast sums of money on technology and training to diminish the probability of being victimized by electronic crime, such as ever-prominent BEC schemes.

As it turns out, a major component of the problem is employee stress, which has been exacerbated by the pandemic. Those anxiety levels — at times generated by capricious work-from-home policies — may amplify an employee’s need or desire to circumvent internal cybersecurity policies for speed in completing a task.

In a recent Harvard Business Review article entitled “Why Employees Violate Cybersecurity Policies,” the researchers argue that “vast majority of intentional policy breaches stem not from some malicious desire to cause harm, but rather, from the perception that following the rules would impede employees’ ability to get their work done effectively.”

Following rules and guidelines, such as the rigid use of two-factor authentication or strict adherence to cash disbursement policies, may be interpreted as a burden by professionals in executing their at-hand responsibilities. The study determined that in some 85% of all breach cases, the employee had non-malicious intent such as “to help others get their work done.” Altruism is a common human trait.

Among the take-aways from this research is to include a broad swath of employees in the cybersecurity-development process, avoiding the temptation to develop protocols in a vacuum. IT professionals, however talented, may not fully understand workflow processes.

Our Vantage Point: Cybersecurity departments can over-emphasize the need to abate external actors to align with headline-grabbing news. In practice, resources should also be deployed internally to ensure that rules and guidelines are organic to getting business done.

Learn more at the Harvard Business Review

Image Credit: 1STunningART at Adobe Stock.