Incidents of CEO fraud – also known as Business Email Compromise (BEC) – will ramp up in Asia-Pacific this year, according to business consultancy Frost & Sullivan.
Threat predictions from analysts at the firm’s regional Cyber Security practice indicate that, as BEC attacks can be mounted with little technical knowhow, they are likely to overtake advanced persistent threat (APT) outbreaks and ransomware as a primary cause for concern.
Typically requiring little more than credible email formats to deceive staff members into thinking they have received financial instructions from senior figures, BECs triggered losses of SGD$19m in Singapore alone in the first nine months of 2016.
BEC caseloads in that pivotal financial hub grew by 20% over that time, compared with the same period the previous year. According to police investigations, businesses with overseas dealings were most frequently victimised.
That finding ought to put multinationals on notice to ensure not just that they are educating their staff about the tell-tale signs of bogus emails – but that clear chains of authorisation are in place to prevent staff from being duped into sending money to fraudsters’ accounts.
Charles Lim, industry principal at the regional Cyber Security practice, said: “As BECs are relatively easier to execute and evades cyber defence tools better than other popular attack vectors, such as ransomware and APTs, they can potentially [become] the main cyberthreat in Asia.”
Lim’s unit also tips enforcement agencies in the region to devote greater resources to ‘Internet of Things’ (IoT) gadgets, saying: “The recent [incidents of] Mirai botnets exploiting the vulnerabilities of IP cameras are an example of how manufacturers did not include a security process of changing default passwords when connecting the devices to the internet.”
Just days after Frost & Sullivan issued its predictions, that same theme cropped up in a report from UK internet service provider Beaming. According to the firm’s research, between the first and fourth quarters of last year, cyberattacks on British firms that used IoT devices as a point of entry grew by 310%.
Networked security cameras and building control systems that can be controlled online were the primary targets in this explosion of cybercrime. By the end of 2016, more than 90% of cyberattacks on UK firms sought to take control of connected devices in the workplace.
On average, the report showed, UK firms suffered a bombardment of 230,000 cyberattacks each during 2016. In November, the average volume of attacks on company firewalls passed the 1,000-per-day mark for the first time.
Beaming managing director Sonia Blizzard said: “The majority of internet cyberattacks are computer scripts that search the web for weaknesses and probe firewalls constantly for a way in. With the IoT, businesses are punching holes in their own firewalls to provide suppliers with access to devices on their networks. This can open the door to criminals, too, if not done properly.”
She added: “It is imperative that companies regularly review their firewall policies to ensure they are as restrictive as possible, and prioritise security over convenience. Once inside, it is relatively easy for hackers to take over connected devices and lie dormant before misusing those assets as part of a bigger hack or distributed denial-of-service attack at a later stage.
“The cyberthreat is real and it is growing. Any business that is connected to the internet needs to take responsibility for cybersecurity at board level, and ensure it is doing everything it can [not to] expose its people, assets, customers and business partners to greater risk.”