How aware are you of BEC attacks? Businesses of all sizes are at growing risk of this growing type of cyber-crime. In fact, between 2013 and 2018 the FBI estimates that cybercriminals have stolen more than $12 billion through this form of fraud. Here we take a look at exactly what a BEC attack is, and what your organisation can do to mitigate the risk of business email compromise attacks.

What is a business email compromise attack?

Business Email Compromise (BEC) attacks are a dangerous and sophisticated form of phishing. Traditional phishing attacks might see cybercriminals sending large volumes of fake emails that appear to be genuine requests for information, usually in an effort to harvest personal account credentials for online services. BEC attacks, on the other hand, are more targeted and seek to compromise select business users in order extract sensitive corporate information for greater financial gain.

Common BEC-type scams include attackers sending bogus invoices to other companies or issuing fake instructions for payment on behalf of high-profile individuals such as a company CEO or Finance Director. BEC attacks are also known as man-in-the-email attacks, and due to the highly targeted approach of scammers can often be difficult for employees to spot.  Criminals will often go to great lengths to create more realistic attacks, such as closely researching individuals, supply chains and corporate news and events.

BEC attacks cost organisations huge amounts of money

A number of large-scale BEC attacks have made headlines across the last year. One of the highest profile attacks came in March 2018, when Italian football giants Lazio were tricked into transferring €2million to the bank account of a scammer. This concerned an outstanding payment owed in relation to the transfer of defender Stefan de Vrij from Dutch club Feyenoord. Lazio received an email, which later turned out to be fake, supplying alternate bank account details for the final payment.

Another well-publicised attack targeted Dublin Zoo, which was defrauded to the tune of €500,000 when it was tricked into paying invoices into a bank account controlled by criminals. While the cinema chain Pathe had a truly colossal €19 million stolen in one of the most successful BEC attack carried out to-date. In this example, scammers posed as the French office as the firm and requested funds for a confidential transaction.

How staff can help protect businesses against BEC attacks

Understanding what a business email compromise attack looks like and its associated risks is the first step in safeguarding your business against this type of fraud.

Employee education is vital. BEC attacks commonly target the members of staff in an organisation with the authority to both instruct and action financial payments. Accounts departments, in particular, need to understand the danger of these attacks and how they can be identified.

There are many ways to perform staff training. A simulated phishing attack, conducted by a professional ethical hacking company, for example, can help organisations to learn how to spot the tell-tale signs of scam emails.

What else can be done to prevent business email compromise attacks

While raising employee awareness is an important step, there are also things that businesses can do to help protect their employees and minimise the risk of an attack. Introducing policies and procedures in place to verbally verify payment requests is also an effective way to reduce the success of BECs.

Use of DMARC and SPF protocols to block email spoofing attempts as well as implementation of multi-factor authentication on user accounts are also recommended.

Finally, businesses may also wish to invest in proactive network and endpoint monitoring. SIEM and EDR technologies can help to detect malicious activity before escalates into a serious breach resulting in operational disruption, reputational damage and financial loss.

[free templates
[free templates
checklists and swipe files]
checklists and swipe files]
[free templates
[free templates
checklists and swipe files]
checklists and swipe files]