In what can be termed as a major success for cyber criminals, as many as 33,568 finance department email addresses of over 5,000 UK companies were compromised in third-party breaches in the last five years, research from Digital Shadows has revealed.
The ease with which cyber criminals are gaining access to sensitive email accounts belonging to finance departments at major organisations not only allows them to earn money by selling such email addresses on the dark web for as low as $150 per account, it also fuels a rise in business email compromise attacks.
Finance department email expose fueling cyber attacks
Such attacks involve hackers masquerading as CEOs or high-ranking company officials or business partners to target unsuspecting employees at finance departments and trick them using social engineering and phishing tactics. This way, fraudsters are able to convince targeted employees into making wire transfers to bank accounts thought to belong to trusted partners.
According to a report from Digital Shadows, the reason why cyber criminals are able to gain access to thousands of finance department email addresses is that such account details are not properly protected by organisations or third party vendors and are often stored in unsecured or misconfigured servers.
"One issue that this research particularly highlights is the risk posed by third parties and contractors, who are often forgotten about by businesses and security teams when it comes to defending your network and data. Often, short-term workers will back up their files and emails on personal NAS drives and leave this misconfigured," said Rafael Amado, strategy and research analyst at Digital Shadows to IT Pro UK.
"This issue goes beyond email account compromises. Businesses need to have a better understanding of where all their sensitive data resides and who has access to it. Third parties and suppliers are an important component of this," he added.
The firm observed that organisations and vendors stored millions of email addresses in a range of misconfigured servers such as AWS S3 buckets, NAS drives, rsync sites, file transfer protocol (FTP) servers, and server message block (SMB). Such servers not only include email addresses, but also detailed correspondence, thousands of invoices, and tax returns.
A survey of more than 2,250 IT decision makers carried out by Proofpoint across the US, the UK, Australia, France, and Germany revealed that in Q4 2017, while 55% of business email compromise attacks targeted finance departments, 43% of such attacks targeted accounts payable departments, and 37% of such attacks targeted the C-Suite.
The survey also revealed that as many as 88.8% of companies were targeted by at least one email fraud attack and in the last two years, about 75% of organisations were targeted by one such attack and 41% were attacked multiple times.
According to the FBI, between October 2013 and May 2018, as many as 78,617 BEC and EAC attacks took place across the world, inflicting losses of $12.5 billion (£9.52 billion) to businesses. While businesses across the globe faced 40,203 BEC attacks between October 2013 and December 2016, as many as 38,414 BEC attacks took place between January 2017 and May this year, costing enterprises a total of $7.23 billion (£5.50 billion) in losses.
"The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries," the FBI said.
"Based on the financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations," it added.
Organisations must reduce data exposure
"Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down," said Rick Holland, CISO and Vice-President Strategy at Digital Shadows.
"Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. Organisations can never mitigate these issues entirely; however, it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum," he added.