π‘ On the Growing Threat of Business Email Compromise
π§ Growing threat of Business Email Compromise (BEC) attacks.
Email is the backbone of modern business communication, rather, the backbone of cybercrime activities. There are 2.4 billion emails sent per second, and in 2022, the FBI recorded 21,832 reported BEC incidents, resulting in over $2.7 billion in losses. We hear about ransomware events in the headlines, but the unspoken truth is: BEC is very common on Guam. Many companies have recorded financial losses due to a lack of awareness that they were being targeted in the first place. Letβs dive into some of the details, and discuss how to navigate some ways we can combat these common issues.
π‘ According to Proof Point, an American enterprise security company, there are four phases when a threat actor conducts a BEC:
PHASE 1 β Email List Targeting
The attackers start by building a targeted list of emails. Common tactics include mining LinkedIn profiles, sifting through business email databases, or even searching various websites for contact information.
PHASE 2 β Launch Attack
Attackers start rolling out their BEC attacks by sending out mass emails. It's difficult to identify malicious intent at this stage since attackers will utilize tactics such as spoofing, look-alike domains, and fake email names.
PHASE 3 β Social Engineering
At this stage, attackers will impersonate individuals within a company, such as CEOs or other individuals within finance departments. It's common to see emails that request urgent responses.
PHASE 4 β Financial Gain
If attackers can successfully build trust with an individual, this is typically the stage where financial gain or data breaches occur.
These attacks are often difficult to detect and can result in financial loss, reputational damage, and legal consequences. To prevent Business Email Compromise (BEC), businesses should implement strong email security protocols.
π‘οΈBuilding resiliency for email threats.
π΅ Blue Team: to protect your organization from BEC, you must ensure your employees are trained to recognize suspicious behavior. For example, if an email requests a transfer of funds, π verify the request π through a secondary form of communication, such as a phone call or in-person confirmation, to help prevent fraudulent transfers and protect your organization's finances.
Other email security protocols include:
Two-factor authentication: Adding an extra layer of security to email accounts.
End-to-end encryption: Securing the contents of emails from interception by unauthorized individuals.
Educating employees: Providing them with email safety best practices to prevent them from falling victim to email-based attacks. Make this a requirement for all employees and implement this in onboarding new team members. This is a requirement for regulation and compliancy frameworks, so keep proper documentation.
π΄ Red Team: simulate an attack by launching a phishing exercise in your organization. Keep it on the down low, and observer users behavior using a tool that has reporting and analytics on who clicked on links. A/B test different social engineering tactics to see the level of awareness in your organization.
There are many vendors that provide training and phishing simulations. At adahi.tech, we are official partners with Huntress and Curricula. The platform is simple, and has some really helpful automation to ensure effectiveness and compliance.
