Real-World Examples of Cybersecurity Nightmares That Could Have Been Avoided – Part 2

Security and compliance awareness training transforms a company’s greatest security risk — its people — into its greatest defensive asset. When companies empower their employees through security awareness training, they gain a host of unbeatable benefits like reduced security costs, increased compliance, and a big edge against cyberattacks. Over our 3 Part Series, each scenario offers a concrete example of the cyber dangers that organizations are facing today and the consequences of failing to prepare employees to handle them.  

Scenario #2: A BEC Disaster

While ransomware may be the cyberattack that gets all the attention, business email compromise (BEC) is the cyberattack that can do the most damage to businesses. BEC is the costliest cybercrime, with an adjusted loss of approximately $1.8 billion in 2021. BEC typically starts with a phishing message and ends with cybercriminals getting cash or credentials from the victim. 

Here’s how a BEC incident might unfold for a business: 

An employee at Company A receives an email that appears to be from their contact at Company B — a service provider for Company A. The email tells the user that they need to pay a legitimate outstanding invoice and warns that their service may be disrupted if they don’t pay it immediately. Company A usually pays Company B via wire transfer. The message advises Company A that Company B’s banking information has changed, and Company A should send payment to this new account. Company A complies, sending a large sum of money to the new account. However, there is no new account for Company B, and Company A has been scammed. 

What might happen if an employee action at my company causes this security failure? 

Any or all of the following could happen, and all of these consequences are unpleasant. 

If you work at Company A: 

  • Your company sends almost always unrecoverable money to cybercriminals via wire transfer, gift card or electronic payment. 

If you work at Company B: 

  • An employee gives up their password, enabling cybercriminals to log in to your systems. 
  • Bad actors obtain a privileged password that allows them to access sensitive systems or data. 
  • Cybercriminals take over accounts that enable them to pose as your company to commit other cybercrimes. 

Possible Outcomes 

Both companies incur big expenses and bigtime trouble.

Company A  

  • An employee transfers large sums of money to the cybercriminals. The median cost of a BEC loss is $764,000. 

Company B 

  • The cybercriminals are able to snatch credentials that give them access to a privileged user account, like an administrator account, that allows them to deploy ransomware or other malware. 
  • The victim company has to undertake an expensive, time-consuming incident response. BEC has the highest cost per incident of any cyberattack.  
  • The threat actors are able to use the employee password that they obtained to access data like customer lists, client or patient files, and financial information.
  • The bad guys steal customer PII (Personal Identifiable Information), an element included in 44% of breaches at an average cost of $180 per record. 
  • Bad actors are able to take over a legitimate employee email account and use that account to pose as legitimate representatives of the employee’s company to launch new BEC schemes.  

How does security awareness training help? 

If you’re Company A, training helps by making employees more vigilant. A security-savvy employee would smell a rat in this scenario. They’d know the best practice here would be to contact Company B via other means (like a phone call) to verify the legitimacy of the request and notify their supervisor or IT team of the issue. 

If you’re Company B, training helps by teaching employees to be wary of anyone asking for their login credentials. Security awareness training empowers employees with the knowledge that they need to avoid cybercriminal traps like that that can lead to a BEC incident. That’s one reason why security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training. 

By preventing an employee from getting fooled, Company B also avoids an expensive, stressful incident investigation and cleanup. Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyberattack. 

Security and Compliance Awareness Training is Easy and Affordable

With risks like these around every corner, it’s easy to see why every company needs to make a powerful defense against phishing a top priority to avoid joining the ranks of the 60% of businesses that fold in the wake of a cyberattack. The Interactive Security’s security awareness training platform answers that call. 

Our security awareness training solution is packed with features that make the training process efficient, effective, and easy. 

  • Preloaded phishing kits help employees learn to spot and resist the phishing lures or scenarios they face every day. 
  • Video lessons on subjects like ransomware, compliance, password safety, security hygiene and more give every employee a solid grounding in cybersecurity best practices. 
  • We add 4 new videos a month in 7 languages to make sure that your users are trained on the risks and compliance requirements that they’re facing right now! 
  • Automate training delivery, testing, and reporting. 

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.