Business Email Compromise is a sophisticated form of phishing attack in which a criminal, posing as an executive, tricks someone into providing valuable information or moving money directly into the attacker's bank account. Many are surprised to learn that Business Email Compromise, not ransomware, still headlines the list of most dangerous cybercrime methods; and by a large margin.Hitting organizations of all shapes and sizes, BEC is consistently ranked by the FBI as the top form of cybercrime. It's a serious problem that is only getting worse. To counter the threat of a Business Email Compromise attack, people and companies need to be aware of the threat and how to defend against it.
Awareness is the keystone to a BEC-resistant perimeter. Around 90% of cybersecurity breaches happen because someone interacted with a phishing email. BEC attacks are designed to be the most convincing of fraudulent emails, and the hardest to spot. But people can be trained to outsmart the criminals, who are constantly updating their tactics.Effective security awareness training must be designed to adapt to the cutting edge of the threat. It needs to engage workforces with phishing simulations and educational content that is relevant and tailored to individuals. Cookie-cutter approaches don’t work.Good phishing exercises mimic the actual phishing threats an organization will encounter. To use a sports metaphor, it’s a combination of skill drills and scrimmages that train employees how to spot the telltales of an attack, and how to react to the real thing (spoiler: Hit the report button!).Engagement is key. You need as many employees as possible to buy-in and to participate in training for the long-haul. That will keep their security-eyes sharp. Customized learning paths and gamified content have been shown to sustain employee engagement.CISOs around the world agree that participation is pivotal for results. If employees aren’t engaging with training content because it’s uninteresting or irrelevant to them, then they won't learn. Well-designed phishing simulations train your employees to spot the telltale signs of a BEC attack and, critically, how to respond appropriately.
BEC attackers will often buy up domain names similar to their target’s domain. For example, if your company name is myapple.com a fraudster might buy the domain miapple.com or myapp1e.comMake sure that your company purchases any domain names similar to your company URL.
Carry out a risk assessment on any procedure that may be compromised in a BEC attack. For example, does your firm double-check financial movement requests over a certain amount? BEC attacks are notorious for re-directing large invoice payments to a bad actor's bank account. If risks are identified in any areas that could be exploited in a BEC attack, find procedural ways to close the gap. This could be as simple as requiring a phone call check – to a recipient’s verified number – before submitting payment for an invoice.
BEC attacks hinge on compromising a C-level executive’s email. Most email systems allow you to set up a second factor to authenticate access to the account. The second factor is usually applied after a person enters their username and password. They are typically something like a mobile authenticator app, like F-Secure or Microsoft authenticator, or an SMS text code. The attacker would thus need both the email account credentials as well as the target victim’s mobile phone to execute a BEC attack.
Phish come in many colors. One possible vector of malware infection are keyloggers, which collect a victim's keystrokes. This enables theft of login credentials and other sensitive data by seeing what the malware-infected person is typing.Malware infection is usually dependent on software flaws. Ensuring that all software is fully up-to-date and that security patches are applied promptly reduces the chances of infection. Using anti-malware applications as part of a wider security strategy, including security awareness training also helps mitigate the risk of infection.
Business Email Compromise is the kingpin of cybercrime. No person or organization is immune. All businesses must take the threat seriously. A single fraud can bilk organizations hundreds of thousands, even millions, of dollars. For victims of BEC scams, the impact on their lives and livelihoods can be catastrophic.BEC fraud is much more than a simple ‘hit and run’ crime like phishing credential harvesting. It is insidious, subtle, and deliberate. The cybercriminals take their time to survey their target, understand their business, and spoof or steal email accounts. The cybercriminal burrows under victims' organizational skin before impersonating an executive and bleeding the business of funds.The best first preventative measures against BEC fraud is awareness. Certainly, a strong technical layer, e.g. domain protection and robust authentication, is a vital component of BEC prevention strategy. But no technological perimeter is air-tight. Bad actors have cultivated their multi-billion-dollar illicit industry by learning how to bypass the firewalls via manipulation of people, from the top to the bottom of the org chart. Getting BEC-aware across your organization is the keystone to a sustainable defense.BEC is not a game. It is a serious attack on the very heart of your organization, targeting your top people in order to drain your finances. Fortunately, we have the means to tackle this growing threat at our fingertips by making our staff BEC aware. An awareness training program that promotes security culture and continuous learning is the only way to really lower risk and prevent BEC crime.
Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.