Business Email Compromise: Battling Advanced AttackersUltra-Lucrative Campaigns Continue, Warns David Stubley of 7 Elements
Many businesses don't seem to be able to stop business email compromise schemes. "Incidents are just increasing; there's a huge volume of business email compromises," says David Stubley, CEO at 7 Elements, a security testing firm and consultancy in Edinburgh, Scotland.
"We're seeing three broad groupings," Stubley says, and while the specifics are unique to each victim, in general, most of these attacks have the same goal. "They're all trying to effect a financial payment away from the organization," he says.
Such payments can be substantial. In a case recently investigated by 7 Elements, for example, a victim paid $900,000 by responding to a fake invoice submitted by an attacker.
In a video interview at Information Security Media Group's recent Cybersecurity Summit in London, Stubley discusses:
- Low-skilled attackers' tactics;
- How more professional attackers operate;
- Groups that break in via elaborate phishing schemes but only steal data - and why this is especially troubling;
- Essential defenses.
Stubley is the founder and CEO of 7 Elements. He was previously manager of penetration testing services for Royal Bank of Scotland, and he served as a penetration testing project manager for Britain's Ministry of Defense as well as an IP technical security engineer for MCI WorldCom.