Business Email Compromise (BEC) is still a very prevalent threat to businesses, with new data proving that it accounts for more cybersecurity insurance claims than any other incident. Research from CRN shows that IT professionals regard phishing as a bigger threat to their organisations than malware, proving that businesses need to be switched on to this form of attack.  

BEC is most commonly conducted with a financial motive and sees a cybercriminal pose as a high-level executive, C-suite member or third-party partner to try and persuade an employee, usually from the finance department, to transfer large sums of money into a fraudulent bank account.

You would think that it would be simple to identify if you are the target of a compromised email – after all, we are all wary of cyberattacks now more than ever as reports of high-profile breaches are no longer rare occurrences. However, the anonymity the internet provides, combined with the pace of operations and with advanced social engineering techniques, creates a sense of urgency about the task at hand. This enables malicious actors to force high level executives to authorise large payments without following strict precautions. The nature of BEC attacks means that the C-suite is often targeted. According to the Verizon 2019 Data Breach Investigations Report, C-level members are 12 times more likely to be targeted this year, compared to last.

2nd Generation BEC

BEC can, and does, affect companies ranging from global corporations to local SMEs, regardless of industry. Even businesses such as Google and Facebook recently fell victim to large-scale BEC attacks, resulting in respective losses of £77 million and £18 million. The fact that some of the world’s leading technology companies can be breached by BEC shows just how advanced the tactics used to deploy these attacks are. While the basis of BEC remains, alternative variations include scammers posing at third-party suppliers demanding immediate payment, and more advanced schemes can even include credential stuffing or breached employee data used alongside the attack.

In addition to increasingly sophisticated email compromises, malicious actors are now turning to mobile phones. A compromised text message is much harder to spot due to the instantaneous nature of mobile communication. Therefore, recipients often do what has been asked of them without thinking. This is commonly known as smishing (phishing via SMS). Mobile attacks most commonly result in scammers acquiring the redemption codes of loaded gift cards, under the guise of them being urgently required by the CEO.

Multiple Protections Are Key

To avoid falling victim to BEC businesses need a multi-layered approach to cybersecurity that implements a winning combination of security controls and user awareness.

Effective spam filters are an obvious place to start, but as compromised emails often don’t contain suspicious links it’s easy for them to slip through the net. Therefore, other email protections such as scanning for suspicious keywords, and security tools such as privilege access management and multi-factor identification, are useful ways to defend the business.    

Educating employees on the red flags of BEC is another essential way to safeguard against the attack as it is their direct actions that could land the company in hot water. A shift in the business’ culture, to require extra layers of approval before payments are made, is also an important way to ensure a compromised email doesn’t go unnoticed.

BEC can cost companies a great deal, so it’s important to make sure that all employees, regardless of seniority, are clued up on what to look for and how to deal with a compromise. This, in combination with effective security controls, can save businesses from falling prey to this advanced social engineering attack.