For business process outsourcing (BPO) firms, there’s little solace once they’ve been effectively hit by a phishing attempt. Though law enforcement in the United States and other countries take cybercrime seriously, companies feel that they have no hopes for justice or recovery if authorities get involved. As far as they’re concerned, they’re on their own.
Phishing is by far the most successful vector of cybercrime against organizations, both public and private. Almost 300,500 victims reported successful attempts in 2021, according to the latest Internet Crime Report compiled by the FBI’s Internet Crime Complaint Center (IC3). In the rankings of successful vectors, phishing was followed distantly by non-payment methods (51,600) and by personal data breaches (58,900).
Data by the UK’s Department for Digital, Culture, Media and Sport estimates that phishing accounts for 83% of cyber attacks in the country, with impersonation falling in a very distant second with 27% of attacks.
Though apparently less technologically sophisticated than most cybercrime vectors, phishing has proven to be one of the most dangerous methods in the cybercriminal toolkit. Between 2013 and 2015, Google and Facebook fell for a US$100 million phishing scam. In 2016, Belgian bank Crelan was successfully hit by a CEO fraud scheme that cost the company over US$75 million.
In fewer words: phishing is no joke. Companies take the threat seriously for its potential economic impact, while government agencies see it not only as costly, but also as a considerable danger to the integrity of potentially sensitive information.
The Internet Crime Complaint Center (IC3) is the FBI’s virtual complaint desk for people who believe they have been victimized or defrauded online. Go to https://t.co/E4nYg4azuR to submit complaints. https://t.co/p8DQZUIkIB pic.twitter.com/2qtxS4oO9y
— FBI (@FBI) November 21, 2017
And yet, successful phishing attempts are, like most cybercrimes, rarely reported. The IC3 estimates that only 15% of victims report cyberattacks to law enforcement. This in spite of a self-reported 74% success rate by the IC3’s recovery asset team (RAT), which freezes funds transferred by companies successfully hit by phishing attempts.
The fact is that private companies have little trust in law enforcement’s capabilities or even willingness to do anything that they consider to be genuinely helpful.
Most companies expect at the very least to recover the assets lost due to a phishing attack, whether those assets are money or information. Some even hope that the culprits are caught eventually. Unfortunately, any of those two options rarely happens.
Companies know that hackers and other sorts of cyber criminals are very hard to track down. Most of them attack from foreign locations, which might complicate the prospects for justice being served. When the attack is perpetrated against outsourced operations, the matter complicates even further. Though the international community agrees on the importance of cybersecurity, with several international agreements on the matter being signed, worldwide cooperation is still weak.
Also, private firms know that most cybercrime reports will be used as a statistic instead of as the starting point of a criminal investigation.
“They [law enforcement] are not gonna take that [report] and take action. They are using them [cybercrime reports] statistically, to track crime, trends, bad actors. They’re not really going to help you with response,” commented Keith Smith, InfoSec & Compliance Director at Transparent BPO, in an interview.
Everything Stays Inside
Once they’ve been hit by a phishing attack, the instinct of most companies will have them handle the situation on their own, avoiding any involvement by external parties, whether that be government institutions, business partners or even cybersecurity providers.
The situation has to get “real bad” before companies decide to involve anyone else besides their own team or cybersecurity partners, Smith told NSAM. Transparent BPO, for example, has systems in place that identify and isolate the threat as fast as possible, before it expands to the rest of their systems. If a machine is infected, the firm would rather dump it before more damage is done.
In the case of ransomware attacks, Smith explained, the company plans ahead by backing up information constantly to avoid paying ransom. Though forking out the money can provide access to the information once more, it’s not always guaranteed.
The FBI’s policy at the moment is that it does not support the paying of ransom after a cyber attack. The Bureau warns that “paying a ransom doesn’t guarantee you or your organization will get any data back [and] also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity”.
Besides, there’s little clarity on whether paying ransom can be considered as an illegal act in itself. The Office of Foreign Assets Control (OFAC’s) officially warns against ransomware payments, arguing that they could be construed as funding of illicit activities, like cyber-terrorism.
What Is Being Done?
In the face of the growing threat of cyber attacks and their own distrust of law enforcement’s willingness to solve their cybersecurity woes, private companies see shielding as the only viable option.
“Phishing has increased due to work at home, and we’re obviously more exposed to messages coming from different sources,” a Mexican company told the American Chamber of Commerce’s local chapter in their latest cybersecurity survey. “What we try to do is that all of our equipment operates securely. The company has invested a lot on the proper softwares, notifications and employee training.”
Phishing attempts can be deployed in a variety of forms and levels of sophistication. Some of the most obvious attempts are deployed massively, while others are tailor-made, targeting specific members of an organization. The latter ones are usually planned out attacks aimed at high-ranking officials and executives, making them particularly dangerous.
Automated filters and AI-powered tools can handle obvious phishing attempts, but the more sophisticated ones require a keener eye that can be provided –at the moment– only by a human.
That’s why training is perhaps the most powerful tool against phishing. BPOs and other sorts of companies have training programs for their new and current staff, with some installing security infrastructure and instant-report buttons in their internal mailing platforms. Keith Smith told NSAM that Transparent BPO even sends fake phishing messages to their employees, to keep them on their toes. If they fail the “test”, the consequences can go from a warning, more required training and, if they fail too many times, termination.
But training –which already requires time and effort– has grown more difficult in an age of remote work. While companies are able to do on-site training for new recruits, ongoing training can be challenging.
“Where the challenge comes for BPOs is that the job can be seasonal for a lot of people,” explained Keith Smith. “As people get into your company culture, they get that messaging repeatedly, they do better responding to that phishing. But for new people, it’s going to be a challenge getting them up to speed. It takes time and reinforcement.”
Add comment