We know you've seen the headlines: Cyberattacks are hitting enterprises at unprecedented rates. And business email compromise (BEC) attacks, in particular, are striking more often, leading to a loss of $1.8 billion in 2020, according to an FBI report.
BEC attacks are cyber-attacks in which a malicious actor uses a fake email account to pose as a member of a legitimate organization, often a colleague or other known business contact. This tactic makes them much more difficult to spot and requires employees to stay informed about the latest tactics.
Criminals often rely on specific tactics to perpetrate BEC scams, including:
A fundamental step in safeguarding organizations against BEC is to provide employees with adequate cybersecurity training. Employees should know the risk and implications of these attacks and how to respond to an incident. A firm grasp of cybersecurity leading practices can foster a sense of responsibility throughout the organization.
An effective training program emphasizes the central role that grooming plays in these attacks. BEC succeeds not so much because of its technological sophistication but for exploiting human vulnerabilities. Clear communication of roles and expectations and guidance in the appropriate use of IT and accounting controls can empower employees as the front line of risk mitigation.
For all its psychological manipulation, BEC is not necessarily sophisticated from a technical standpoint. Most BEC attacks originate from spear-phishing or spoofing an internal email account. IT controls such as application-based multi-factor authentication (MFA), and virtual private networks (VPNs) can be prevented or detected.
Another practical anti-BEC approach is to use encryption to authenticate emails and allow users to exchange data safely. Encryption software translates the data into the code for transmitting over a network. The transmission is unintelligible without a 'public key' to decrypt the data.