Every day, fraudulent email activity costs organisations millions of dollars in lost business and stolen assets. More recently, business email compromise (BEC) cases are seen more and more across news headlines, proving to be one of the most effective and dangerous email-based attacks in today’s threat landscape.
In fact, the FBI has had to issue 3 public service announcements in the last year-and-a-half, with the last announcement noting that BEC losses in those same 18 months. These attacks are well documented and often begin with a simple, believable email seemingly from the chief executive to one of their finance team requesting an often urgent wired money transfer.
Unless the staff understands what to look for, they run the risk of falling victim to the request to quickly satisfy the senior manager’s request, firming up BEC as an attack method of choice by malicious actors looking for a fast, effective hit with a large return.
To properly defend against this attack vector, organisations need to properly prepare and inform staff to recognise a BEC attempt when it arrives and report it before it has a chance to cause any real damage.
When examining defensive measures, it’s important to debunk the myth that BEC scams are easily spotted and often target the technologically illiterate. In fact, these types of attacks are extremely well crafted in their attempt to replicate the tone, look and feel of a typical correspondence from an organisation’s senior officer. Technology vendors building solutions to stop this type of fraud are not protected from these attacks either; even PhishMe has been a targeted with this sort of scam in the past. The point is every organisation, big and small, is a potential victim, so measures must be taken to defend against these intricate email scams targeting end users.
Malicious actors do plenty of research on their targets, often tapping into social media accounts to glean names, job titles and relevant information such as travel plans of senior staff. This allows the actor to compose the most effective fraudulent email request possible. In America, the FBI has issued a formalised warning for BEC scams because of their popularity. In France, these are known as the “President's Scam”, and the hacker who started the scheme, Gilbert Chikli, has since been tried in absentia for his crimes.
Last year Centrify, a company that provides identity management services, raised further BEC awareness by detailing eight BEC defrauding attempts against their own organisation.
Adopt a people-first solution
Increasingly, we are seeing savvy business and technology executives take a people-first approach to defend against phishing and BEC attacks. Through phishing resiliency programs, executives are making it clear to employees what signs to look for during these types of email scams, an example being that an executive would never request money transfers or wires via email correspondence.
By empowering people to act a last line of defense against these types of email-based attacks, organisations close large susceptibility gaps by strengthening the groups often targeted the most: their employees. Through successful anti-phishing programs, employees that undergo immersive simulations for phishing, BEC and other email-based scams, learn how to properly recognise and report actual suspicious emails to reduce the susceptibility of a breach. This is particularly relevant in high transaction, ecommerce based businesses who are often a target for these types of scams.
It is important to demonstrate to employees through immersive simulations just how believable these fraudulent emails can be, as well as empowering them with the proper tools to identify and eventually report such emails into their organisation’s security operations.
We suggest a five-step approach to begin fortifying against dangerous email based attacks:
- Step one - Enable two-factor authentication across email accounts company wide. If your email provider does not offer this, change providers.
- Step two - Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
- Step three - Make sure you are using different passwords for each online service; use a password manager if needed.
- Step four - If your business does wire transfers (these are some of the riskiest transactions as they usually cannot be recalled), ensure you have dual approval and authentication for all wires.
- Step five – Begin building an immersive anti-phishing program designed to empower employees to recognise and report suspicious emails within your organisation.
Don’t Rely on Technology to Solve the Problem
Despite the sophisticated anti-fraud software and technologies available to organisations, the key to over-coming scams like BEC is focusing on the people, not the technology. When employees feel like they’re part of the solution and given the proper training and tools to succeed, there is a much slimmer chance those email attacks will be successful compared with organisations that rely too heavily on technology to solve this problem for them.
In addition, security teams can leverage the data from the reported phishing emails to identify phishing threats in real time, speed incident response, and shut down attacks before they have a chance to cause any real damage.
Rohyt Belani, Chief Executive Officer and Co-Founder, PhishMe
Image source: Shutterstock/deepadesigns