“Business email compromise (BEC) is quickly becoming the worst-kept secret. Billion dollars leaves a trace, and it’s a mile wide.
According to Fortra, 23.6% of emails that made it to corporate inboxes in Q1 of 2023 were untrustworthy or malicious. This represents an increase of about 5% compared to the previous year.” See [1]
“According to the FBI’s Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) schemes have grown at a jaw-dropping rate of 2,370% since 2015. With more than 40,000 domestic and international incidents, these types of scams have cost more than a staggering $5.3 billion in actual and attempted losses.” See [2]
A BEC attack begins with cybercriminals hacking and spoofing emails to impersonate a company’s supervisors, management, business partners, suppliers, vendors, etc. Sometimes, they may use AI tools to fake voice of a person and use it in phone calls to trick employees of the company.
Traditional approaches to prevent such attacks are based on careful attention to discover that an email or a phone call is fake and not from a legitimate person. Unfortunately, such methods are not always efficient, because people may be tired, under stress, short on time, etc. and are not able to identify that the contact is not legitimate.
A simple way to address the BEC problem is to give each legitimate contact a personal identification code (PIC) and ask any contact for her/his PIC to confirm her/his identity in any request for information or actions. For the reason that a number of required PICs may be large and this results in PICs fatigue problem, users need private dynamical passwords generators (DPGs) to manage in efficient and easy way multiple PICs and avoid the PICs fatigue problem.
Let us consider an example.
John is a CIO of a company. He is responsible for secure handling of all information in the company. To prevent unauthorized access to information, John generates unique and different PICs, using private DPGs, and send them to all his contacts. He classified 200 contacts into two groups: employees and vendors, with 100 contacts in each group. For each group John created a list of contacts with names, numbered from 1 to 100.
The first group consists of employees. John uses “employees” as a key to generate 100 different PICs with a private DPG.
For each contact, John chooses a PIC from the DPG’s output, with a number corresponding to the number of the row for the name, in the list of contacts.
The second group consists of vendors. John uses “vendors” as a key to generate 100 different PICs with the private DPG. For each contact, John chooses a PIC from the DPG’s output, with a number corresponding to the number of the row for the name, in the list of contacts.
In this way, John can authenticate any contact from all his contacts, by asking a PIC of the contact.
In the same way John secure information and all digital assets of the company. See [4]
This method can be used by any business to prevent BEC attacks, social engineering hacks via fake voices (generated by AI tools or special voice synthesizers) in phone calls, etc.
If you like this method, you can combine nice with useful by making an educational video on this topic and offer it to businesses, organizations, hospitals/clinics, schools, etc. for a small fee.
References:
[1] https://www.fortra.com/blog/top-5-takeaways-from-fortras-2023-business-email-compromise-bec-report
[2] https://www.weststarbank.com/our-info/bec-attacks--what-they-are-and-how-to-protect-yourself
[3] https://www.cyberdefensemagazine.com/e-mail-compromise/
[4] https://www.publish0x.com/simple-solutions-to-complex-problems/a-simple-way-to-protect-multiple-content-files-xxvzoww