Written by: Dennis Dillman – Chief Operating Officer of PhishLine

According to a recent FBI report, U.S. based businesses lost $2.3 Billion in the past 27 months from one type of phishing attack alone. The attack type in question is called a “Business Email Compromise” or “BEC” attack. In this type of attack there is an extensive effort made to assume the identity of an officer of the business, of internal or external legal counsel, or of a major vendor. The attacker then targets individuals responsible for managing money or authorizing payments. In Arizona, the home of the FBI office that authored the report, the average amount of the loss reported in this type of scam is between $25,000 and $75,000.

Since January 2015, this attack type has increased in frequency and/or impact by 270 percent. Businesses in every U.S. state and 79 countries have reported this type of attack.

Consider adding the following to your procedures for dealing with or preparing for phishing incidents (some of these are from the linked FBI report):

  • Make sure you are using a security awareness tool that has the following features:
    • The ability to simulate BEC attacks
    • The ability to provide training on BEC attacks to your employees
    • The ability to target training to high risk departments like Accounts Payable
  • If you suspect your organization is the victim of a BEC attack:
    • Contact your financial institution immediately
    • Request that your financial institution contact the financial institution that received the fraudulent transfer
    • Without regard to the dollar amount involved, file a complaint with the FBI’s Internet Crime Complaint Center, also called IC3
  • Be wary of email-only wire transfer requests and requests involving urgency. Urgency is one of the most significant indicators of a phishing scam.
  • Pick up the phone and verify that the email sender is a legitimate business partner. Consider looking up the vendor’s phone number from their website instead of calling the number listed in the email.
  • Be cautious of mimicked email addresses. Don’t hesitate to engage your technology or security teams to validate whether an email is legitimate.
    • TIP: Copy and paste an email address into MS Word or other tool and change the font. For example, if we focus on the letter “L” in “phishline.com” we see the following:
      • dennis.dillman@phishline.com looks exactly like dennis.dillman@phishIine.com in the Calibri font, despite the fact that in the latter the “L” is really an upper case “i”.
      • However, in Times New Roman dennis.dillman@phishline.com looks noticeably different than dennis.dillman@phishIine.com.
    • Seek additional sources to verify the authenticity of someone requesting a payment.

To learn more about security awareness, download PhishLine’s free eBook, Advanced Persistent Testing: How to Fight Bad Phishing with Good.


About PhishLine:

phishline-150pxHeadquartered in Milwaukee, WI with offices in Chicago, IL, San Francisco, CA, and Cincinnati, OH, PhishLine specializes in helping Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing threats. PhishLine provides a powerful blend of risk-based objectivity and robust metrics and reporting to human layer security efforts. To learn more about PhishLine, please visit them at PhishLine.com and follow them on Twitter @PhishLine.

The Security Awareness Company

With over 25 years of industry experience, we serve both small & large organizations to create successful security awareness and compliance programs on an international scale. Our team is a strong, creative powerhouse with a passionate vision and we consistently produce on-trend end-user training materials of the highest caliber.

Latest posts by The Security Awareness Company (see all)