collage of hand holding smartphone and green print on computer screen While email attacks in the past focused on delivering links and attachments with malicious code, today’s cybercriminals are employing more sophisticated social engineering attacks. (Photo: Shutterstock)

Businesses and individuals exchange more than 300 billion emails each day. Because email is such a ubiquitous part of life, it can be easy to overlook its inherent vulnerability.

In reality, even with protections put in place by internal IT departments or outside partners, email remains an unsecured and unreliable technology capable of being hacked, altered and manipulated. According to recent research by Chubb:

  • Cybercriminals stole more than $28 billion through email fraud from 2016 to 2020, with an average loss per incident of more than $150,000.
  • Since the coronavirus pandemic began in early 2020, cybersecurity risks have increased for organizations, because many employees have shifted to working from home over less-secure Wi-Fi networks.
  • At the same time, to maintain their revenue, many businesses have adopted or increased their use of e-commerce and electronic transactions with their partners and customers.

When combined, these factors have created an even busier environment for cybercriminals to exploit email for fraudulent activities. A late 2020 survey by the Association of Certified Fraud Examiners, more than 80% of respondents across different organization types had observed an increase in cyber fraud since the pandemic began. This included business email compromise and payment fraud.

Related: Pandemic-related cyberattacks: Legal implications for employers

Schemes are constantly evolving, requiring businesses to adopt procedures that guard against intrusions. While email attacks in the past focused on delivering links and attachments with malicious code, today’s cybercriminals are employing more sophisticated social engineering attacks that are designed to manipulate a sender’s identity, intercept important messages and send messages that appear authentic to recipients. Without attachments or files that would be detected by malware-scanning systems, these emails can readily pass through basic security defenses.

“With the heightened level of deception and manipulation involved in these attacks, email security requires a zero-trust approach,” researchers said. “For example, an email requesting payment or bank routing information should be considered suspicious until the information can be independently verified through another channel, such as a direct phone call.”

Chubb urges businesses that believe they are a victim of email compromise to act quickly:

  • Immediately contact the originating bank and request a recall of the wire transfer and confirm that recall in writing.
  • Immediately file a complaint with the FBI at www.ic3.gov. Reporting to the FBI triggers the bureau’s recovery asset team and the FBI’s assistance in seeking return of the wire transfer.
  • Preserve records of the incident, including emails sent and received in their original electronic state. Correspondence and forensic information contained in these electronic files helps investigators shed light on the perpetrators and parties responsible for the incident.
  • After these steps are completed, contact your insurance carrier per the reporting instructions in your policy. While neither recalling the wire transfer nor reporting to the FBI guarantees the return of your funds, these steps maximize the opportunity to mitigate your loss, assist the FBI in tracing the funds and help establish any insurance claim.

“Given the motivation and ingenuity of cybercriminals, organizations should keep in mind that these frauds continue to rise as criminals adapt to countermeasures deployed to thwart them,” the report concluded. “Curbing social engineering online payment fraud not only requires organizations to protect themselves with updated technology defense but also to re-evaluate their policies and procedures for verifying information received electronically, authenticating the identity of those that provide it and authorizing payments to their business partners.

“Cybercriminals will continue to find opportunities for payment fraud until businesses — both suppliers and customers — adapt their processes and fundamentally change their procedures to fill the gaps made possible by email.”

Read more: