In Session: educating employees still critical in the fight against email compromise

Considering the ubiquity of email and the awareness employees should have around its security vulnerabilities, fraud should by now be all but stamped out. But it’s clearly not. When you can buy a phishing resource kit on the dark web and you factor in the continuous innovation by fraudsters, it’s still proliferating. In fact, 86 percent of all companies have had at least one user attempt to connect to a phishing site in the past year. The numbers are similar for Business Email Account Compromise Fraud (BEC Fraud), which often begins with phished credentials being used to access a business email, to then socially engineer a bank update, and routing of payments to a fraudster’s bank account. This is the most damaging fraud against businesses today and it all revolves around email with the FBI estimating it costs businesses $1.8 billion in 2020.  

As Cybersecurity Awareness Month gets into its second week, financial institutions, as well as other companies, can use this as a catalyst to battle complacency and fight back in the email-based fraud battle.  Coming from the standpoint of a technology provider, I see what companies continue to be concerned about as well as the methods they use to fight the problem. Outside of technology (the best defense) I also urge organizations to continue to educate their employees about the latest fraudster tactics. Education – done right – can not only increase awareness of email issues, but it can give workforces the confidence to identify suspicious emails and secure their own. 

Here are four things to keep in mind when considering an email fraud education program:

Leadership: Who’s responsible for fraud education? Depends on the size of the organization. For smaller companies, it will fall largely on an executive that may wear dual hats to include leading the security efforts. For larger organizations, it’s important to be collaborative. They will have a larger security team, which is usually responsible for this kind of training. But it's important for them to partner with payables and receivables teams to come up with a good program that has what they see and deal with on a daily basis. Design training that creates something that mimics a real threat they face or use an email that actually targeted that business as an example.   The other piece of this puzzle: The c-suite. There are two reasons; first, they're the ones that are often the targets of impersonation scams through emails to initiate a payment and their involvement empowers people to take action and shows investment and commitment to a secure corporate culture.

Don’t Short Sell AI: Email can be random and would seem to be outside of the purview of AI. That’s not the case. AI works from the angle of detecting the fraudulent attempt before it hits the inbox. It analyzes where's it coming from, who’s sending it and what kind of links it contains. For example, secure email solutions can identify suspicious email before it even gets into your inbox by identifying a red flag for a known suspicious external actor, a high-risk domain, or a malware threat.  Simply put, a strong threat detection solution using large datasets and AI can stop a BEC attempt, a phishing tactic, or a malware threat before account numbers are ever exchanged or a malicious link ever clicked.

Create Personas and Scenarios: Let’s think about being nefarious when we come up with training.  The fraudster is, and they are trying to tap you’re your inclination to click, download, provide, update, be helpful, or be curious.  A scenario for phishing might come from someone seeking information about COVID-19, for example, “As part of our office return or hybrid work environment HR is asking you to click here to verify your current home address and confirm your payroll information.  You’ll be asked to enter your email and password to verify”. Those credentials are then harvested by the fraudster to be able to compromise your systems or your email.  Ensure you tailor that scenario to your organization to identify threats they might try and exploit.

Continue To Monitor The Hybrid Work Environment: Awareness and confidence are critically important mindsets for any employee to stop fraud. Sometimes a jolt may be needed to pull people out of complacency, especially with an at-home environment where an employee can't look across the cubicle or go to the next office and say “Hey, did you get that weird email?” Implement a program of education that re-energizes people's mindset to discourage complacency and encourage communication. Every organization must have some sort of centralized reporting, where any employee can send a weird email or strange inquiry that your security team can respond to quickly.  If they have nowhere to report it, a fraudster's social engineering pressure has the opportunity to be much more successful. 

The Bottomline: Security and the education surrounding it stems from a good corporate culture. For example, when you're onboarding new employees, understand that it’s tougher to do that in a virtual environment, and making a connection with them on security, the importance of it, how serious your business is about, and how they can report suspicious behavior is key. A good education program sets the tone for them, right out of the gate. The good news is that companies are making progress against BEC fraud by embracing digital verification methods and blocking out phishing attempts by deploying email solutions with URL underwriting and malware detection. The combination of technology and education can make your company one of those making progress.

Subscribe

For further insight into the payments and banking industries, subscribe now and stay informed on the latest tips, trends, and topics. You can also check out The Payments Podcast, where experts engage each other on the real-world factors impacting your industry.