How Cybercriminals Use Employees’ Own Brains Against Them Blog

BEC-cognitive-bias

The FBI’s Internet Crime Complaint Center (IC3) released its Internet Crime Report 2020 recently, and it’s packed with essential insights for CISOs. It’s a comprehensive resource that highlights new cybercriminal techniques, malware, and also includes some jaw-dropping stats on the losses businesses have suffered, including:

  • IC3 received a record number of complaints from the American public in 2020: 791,790, with reported losses exceeding $4.1 billion; this represents a 69% increase in total complaints from 2019.
  • Business Email Compromise (BEC) schemes continued to be the costliest: 19,369 complaints with an adjusted loss of approximately $1.8 billion.

BEC attacks are a phishing scam variation. Rather than sending emails from outside the organization, a cybercriminal compromises a legitimate business email account through social engineering or other computer intrusion technique with the express purpose of transferring funds to their accounts. Because most organizations won’t allow an individual user to send corporate funds themselves, cybercriminals must communicate with employees inside the organization to fool them into sending them money.

There are many psychological tools hackers use to trick employees into engaging in risky behaviors, often playing off of people’s inherent good nature and adherence to corporate hierarchy. BEC, specifically, takes advantage of employees’ cognitive bias using two techniques:

  • Halo Effect: Pretending to be a trusted entity known to the user. For instance, an external partner, such as a law office, reminding an enterprises’ Accounts Payable department about an outstanding invoice.
  • Authority Bias: Pretending to be a high-ranking person of authority within the user’s organization. Imagine an accountant receiving an urgent email from the CFO saying they need to pay an invoice “ASAP!!”

The best way for CISOs to protect their organizations from falling victim to a BEC attack is by implementing hard and fast rules around wire transfers. Businesses should regularly use 2- factor authentication (2FA) for important documents, require offline authentications (i.e., phone call verification for wire requests over $10,000), and educate their employees to know the process inside and out. This way, even if the CEO were to demand a large sum of money quickly, the team would soon sniff out the cybercriminal because they aren’t adhering to corporate protocols.

Education and training are critical in preventing BEC attacks from victimizing your business. SecurityAdvisor’s
security awareness platform fortifies employees’ knowledge of these attacks through regular microlessons that facilitate positive user behavior. Interested in learning more.


Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today