Phishing is one of the primary tactics used by attackers. They can target a considerable amount of people, at a significant number of companies causing far-reaching damage to businesses such as tricking users to handing over credentials, data, valuable assets and money transfers. Business email compromise (BEC) or a ‘man-in-the-middle’ attack, is a form of phishing that is on the rise with a reported 58 per cent increase in attacks in the UK alone. According to the UK Cyber Security Breaches Survey 2019, fraudulent emails and impersonating organisations in emails are two of the most common attacks for businesses and charities, ahead of viruses and ransomware.
A BEC attack is where a cybercriminal uses email fraud gaining access into a corporate email account or impersonating a real owner - often a high-level executive or trusted vendor - to convince an employee, customer, or supplier, to transfer money to a fraudulent account or disclose sensitive information. Attackers typically combine a range of social engineering techniques to manipulate their victims into action or gain access to email. With this in place, the ‘man-in-the-middle’ is not only able to eavesdrop on private conversations but potentially target information within the network.
Often because BEC attacks don’t involve malware, they are trickier to identify. Attackers dedicate time to create convincing emails to infiltrate a company making them increasingly difficult to spot. The far-reaching consequences that a BEC attack could have on business would be devasting. As a result, businesses must proactively protect themselves, their assets and valuable information.
Protection starts with user training
Frequently the success of BEC campaigns is due to low levels of user-awareness concerning how attackers imitate and operate as companies or high-level executives. Businesses should realise employees play a primary role in any organisation’s security defence.
Prevention is the best protection and equipping employees with the education of how to operate safely and knowledge of how to spot and report suspicious activity and phishing attempts dramatically reduces risk.
Security awareness training during an employee’s onboarding process is a good start but should be reinforced on a regular basis such as annually to keep best practices top of mind. Security teams can also conduct periodic assessments to uncover risks that may otherwise have been unnoticed.
BEC attacks are highly targeted and tailored to imitate a notification from a trustworthy source, therefore organisations need to be vigilant about informing employees about this type of threat, and others as they emerge. Security training can get users into the habit of following best practices and keep security awareness top of mind. Employees will be aware of potential threats and feel encouraged to examine emails and confidently decline or double check what they perceive as a dishonest request. A security-aware culture is essential for a company’s front-line defence.
Identity security and protecting Office 365
With the number of tools readily available to cybercriminals for carrying out man-in-the-middle attacks, verifying login attempts and securing email accounts is another cybersecurity strategy in defending against BEC and other phishing attempts.
Office 365 is a prime target for compromise with nearly 60 per cent of sensitive data in the cloud is stored in Microsoft Office documents, and 80 billion messages sent to inboxes in a month. It may be surprising to know many deployments are protected with only a password which startling as it is well known over 80 per cent of breaches are due to stolen credentials. Modern identity and access management solutions such as multi-factor authentication (MFA) fortifies access protection by looking at multiple factors – such as something a user knows (e.g. a password), something a user has (e.g. device), and something a user is (such as a biometric) - ensuring the user is who they say they are and thwarting attackers from gaining admission to email accounts to launch BEC attacks.
Adaptive authentication is an additional protective solution that analyses each access request, further enhancing MFA. By checking characteristics such as device recognition, IP reputation, geo-location and phone number fraud, it enables IT security teams to easily identify legitimate Office 365 users while denying attackers – even if they have stolen credentials. Adaptive authentication also works in the background and invisible to the user, therefore staying out of their way for a seamless user experience. The more known about identities attempting access, such as the device, location, IP address, and behaviour, the better IT teams can protect their business.
Take action to prevent future attacks
In the age of digital transformation, it’s important to understand the types of threats that compromise online security of sensitive business information. By bringing together network, endpoint, and identity security, weaknesses caused by various phishing attempts can be removed. In addition to technology measures, employees should receive regular awareness training and best practice tips to identify suspicious phishing efforts from an executive and know the right procedures to take to report suspicious activity. Improving Office 365 – the most used cloud application in the world today - protection beyond the password can prevent attackers from walking through the front door and compromising email accounts. This reduces the attack surface previously exploited for attackers to gain a foothold. Modern access management even reduces login fatigue and provides a better user experience.
Informed and educated employees, and secure access management control are key when protecting a company from the most common attack vectors. It’s time to reinforce businesses and prevent business email compromise attacks.
Karl Barton, Senior Director, International Channels and Alliances, SecureAuth Corporation