U.S. security authorities are warning users of videoconferencing of increased risks from fraud scenarios. In the past two years, for example, there has been a sharp increase in the number of cases in which attackers have used hijacked access data to obtain data or money.
BEC: Data theft worth billions
The compromise of business email (BEC) has become a lucrative branch of the so-called fishing business in recent years. The FBI has been cited 2020 cases with a total damage volume of 1.8 billion US dollars. The acts not mentioned are likely to account for a much larger dark field. At the core of these practices is the use of forged, stolen, or hijacked email addresses to gain access in order to steal trade secrets or initiate monetary payments. In most cases, very believable background stories are included, which can often take even trained personnel by surprise.
Videoconferencing: new playing field for fraudsters
With the pandemic-induced worldwide surge in home-based work and out-of-home videoconferencing, criminals’ appetites also increased. For example, the FBI saw a significant increase in BEC incidents that chose videoconferencing as a target. At first glance, this may seem a bit strange, since this form of crime is actually linked to fraud via email. But, as is well known, one does not always have to exclude the other.
Emails as Trojans
BEC operators still use emails as the first point of access to other people’s business accounts. But now they are used to sneak into conferences, for example, in order to record internal company information that can be used to penetrate deeper company structures. Of course, this access to potentially sensitive information can also be used for industrial espionage or data trading.
Fake emails from superiors for money orders
However, warnings from the authorities show that hijacked emails can also result in even more drastic forms of crime. For example, incidents are described in which fraudsters, using still images or deep fake constructions as supposed superiors, ask their employees shortly before closing time to quickly make money orders to third parties because they themselves are too busy to do so. Or the company’s accountant needs urgent access to sensitive data in order to do his job properly.
FBI tips against BEC
The FBI has compiled a list of tips to protect against attacks during video conferences. For example, all participants should agree on the platforms to be used during the transmission and also confirm them to each other. Then the authority recommends using two-factor authentication to verify short-term changes to accounts.
Also, one should always look for matches in mails and domains. Discrepancies in this area, even if they are minimal, could indicate compromises. According to the FBI, the best way to avoid unpleasant surprises is to completely refrain from passing on personal information via email.