DE EN FR Jobs Publications Sustainability Innovations
General inquiries
Phone 058 285 85 85
From outside Switzerland: +41 58 285 85 85
Contact
Jobs Publications Sustainability Innovations
General inquiries
Phone 058 285 85 85
From outside Switzerland: +41 58 285 85 85
Contact
DE EN FR
Cyberattacks on companies: CEO fraud and unwanted emails
Blog Cyberattacks on companies: CEO fraud and unwanted emails
Fiona Egli May 30, 2022 Cyber, Digitalisation

Stowaways in the electronic post: over 90 per cent of cyberattacks in companies start with an email. Employees divulging confidential information or clicking on malicious attachments and links can result in significant financial losses and reputational damage for companies. How can companies and their employees ensure that this doesn’t happen with the huge amounts of emails they receive every day?

Emails – a means of communication and the basis for cyberattacks

Emails are the most widely used method of communication within a company. They also happen to be the favoured method of starting a cyberattack. A total of 91 per cent of cyberattacks in companies start with an email. Almost all of these attacks via email require the recipient to actively open an attachment, click a link or transfer money.

These malicious emails can be divided into two categories: those with malware and those without malware.

Emails with malware

A total of 10 per cent of email attacks contain malware. These attacks usually come in the form of an email with an infected attachment ,which can be any file type. If the recipient opens the attachment, the computer is infected. Ransomware can take down a company’s entire IT network by encrypting all of the infected computers. The hackers then demand a large ransom payment to decrypt the computers.

Emails without malware

Emails without malware are much more common, making up around 90 per cent of all attacks. For these attacks, the cybercriminals use a fake identity in order to obtain company information or data. Phishing attacks, where the victim is tricked into entering sensitive information (such as their password) on a fake website, are quite common. Once the hacker has obtained the password, they try using it on various different online services. This is why it is critical that you never use the same password for several different websites. A better option is a password vault that generates individual passwords.

CEO fraud causes unwanted transactions worth millions

One example of an email attack without malware that has caused significant losses in recent years is CEO fraud. According to an FBI report, cybercriminals generated over USD 26 billion (CHF 25 million) through CEO fraud from 2016 to 2019. CEO fraud attacks involve hackers impersonating a company CEO and asking employees to make financial transactions or send confidential documents. The hackers hope that the employees won’t sufficiently verify the authenticity of the request due to stress and pressure from managers. In most cases, the money transferred is permanently lost, as it is immediately siphoned off to a number of different accounts after the initial transfer. This means the money cannot be traced quickly enough, so the transaction cannot be reversed.

Raise awareness to avoid email attacks

How can companies and their employees ensure that this doesn’t happen with the huge amounts of emails they receive every day? New attack methods emerge on a regular basis. IT security departments need time to adapt their company security systems to each new type of attack and ensure that the emails don’t make their way into the inboxes of the employees. This is why employees should check the spelling of the sender’s address and refrain from clicking on any links or attachments. If the sender of the suspicious email appears to be a line manager or colleague, it is essential to call that person to verify that they did actually send the email. “In these situations, corporate culture makes a huge difference. Employees shouldn’t hesitate to double-check or report suspected cases to the IT helpdesk,” says Marc Etienne Cortesi, Chief Information Security Officer at Baloise. The IT team can only make the necessary changes to the security systems if they are informed about the emails.

Continue reading All Articles