Tackling the Number One Cyber-Threat, Business Email Compromise

AmCham’s compliance conference, our annual event highlighting the most pressing challenges in corporate compliance and integrity issues focused on business email compromise, one of the most dangerous and harmful forms of cyber-crime, a rapidly growing issue for businesses of all sizes and sectors all over the globe, causing billions of dollars’ worth of damages.

Since the onset of the COVID-19 pandemic, the number and severity of cyber-attacks, including B.E.C. have increased drastically. As businesses moved their operations online and unprecedented amount of people were forced to work remotely, cybercriminals were given new opportunities to launch attacks – exploiting the uncertainty created by the outbreak.

A Multi-Billion Dollar Business

„B.E.C. is the number one emerging threat for cyber-crime in the world – said Lance Rollins, FBI assistant legal attaché in his keynote. B.E.C. losses totaled 1.77 billion dollars in the U.S. in 2019, nearly half of all cyber-crime damages.

„B.E.C. is highly profitable, cyber criminals are innovative. In the U.S., the average bank robbery gets you 2-3 thousand dollars, a strong-arm robbery gets you 1 thousand dollars on average while in the case of B.E.C. crimes, around 70 thousand dollars is the average. Most of the times when the FBI is getting involved, it is a much higher volume of money” – Rollins adds.

Quick reporting of an attack is essential as recovery rates drop sharply if victims wait to report.

„If you report in the first 24 hours of the attack there is about a 70% chance you might get back some of the funds. Then it drops drastically. 3-4 days out, the likelihood of you seeing money is slim” – he continues.

While Hong Kong and China are the main beneficiaries, unfortunately Hungary is also a money mule location with approximately 1% of the stolen money ending up here which is a lot considering the size of the country.


Prevention is key

Following the keynotes, our expert panel discussed how businesses can prepare their employees and defend themselves from attacks.

„Prevention has three pillars: data & IT security, the protection of the office building; policies, procedures and controls, and the third and most important, the employees” – says Dr. Annamária Nádai, Medtronic Hungary’s compliance specialist.

„Financial departments and back office departments who work with third parties, customers and business partners are the most vulnerable” – she continues.

Providing information about the latest trends in cyber-crime and equip them with the knowledge to spot these attempts with interactive and practical trainings.

Alexandra Gerst, an attorney at Microsoft’s Digital Crimes Unit, believes companies should test the awareness of their employees with fake phishing emails launched by the internal IT department.

„It is a powerful tool to test if the employees fall for B.E.C. attempts. There is an element of shock to this method and this personal experience makes employees a lot more careful the next time they are about to open emails and links” – she explains.

Besides training, up-to-date information and a solid infrastructure, one of the easiest solutions against this attack is a simple call.

„Take the extra time to follow up with a pre-established contacts – says Rollins - Give the people the ability to make the decision to confirm invoice or transfer requests.”

Always One Step Behind

Businesses these days are equipped with sophisticated multi-layered security systems and employees receive special training. „How is it possible to have weaknesses in these systems” – asks Dr. Judit Budai, Partner at Szecskay Attorneys at Law.

Rollins reminds cyber criminals are creative people who usually have a background in IT and are often familiar with the defense systems and mechanisms companies use.

„The bad guys keep adapting their lures to take advantage of current events, like COVID-19 to deceive victims” – answers Gerst.

„The methods are changing all the time, they are extremely sophisticated, and these people are difficult to trace – says Dr. Dávid Kőhegyi, Local Partner and Head of Compliance and Investigations at DLA Piper Budapest.

“The landscape has changed dramatically in the last few years, B.E.C. has become a multi-billion dollar industry. Extortion groups combine ransomware attacks where they hold your compromised information hostage with the public release of stolen information” – he continues.

Dr. Kőhegyi’s firm, DLA Piper was a victim of a large-scale ransomware attack in 2017. Andrew Darwin, DLA Piper Global Co-Chairman and Senior Partner was one of the leaders who oversaw the response, and he provided an insight into the attack.

„For a while we had no email, no telephones, no HR systems and no finance systems. We were relying on cellphones without access to mobile email – he recalls the impact of the NotPetya.

“Our firm is now stronger and more resilient. We learned some huge lessons in a painful way.”

His main advice to firms who are looking to upgrade their defense systems and strategies is that these cyber-attacks and impact should never be underestimated, everybody must prepare as if they are next.

Since cyber-crime is always one step ahead of security measures, it is crucial to stay vigilant.

„Besides awareness, mindset and attitude is of great importance. It is important to establish a culture of trust where employees feel encouraged to ask questions when in doubt – not just in IT and data compliance” – closes Dr. Nádai



AmCham would like to thank the sponsors of today’s event: DLA Piper and Microsoft.