Business Email Compromise attacks are here to stay due to their surface-level simplicity and “anyone can do it” nature. To stay ahead of the BEC challenge, businesses and employees must evolve their mindsets, processes, and security technologies.
BEC and phishing attacks account for a large portion of the security issues plaguing today’s businesses, and they continue to be a problem as attackers devise new ways to fit into victims’ inboxes and trick them into sending money.
As per the 2020 Internet Crime Report, the FBI Internet Crime Complaint Center (IC3) found that Internet crime resulted in estimated losses of more than US$4.2 billion. And, BEC and email account breach (EAC) were involved in 19,369 of the 791,790 reports received in 2020, resulting in US$1.8 billion in damages.
Here are some guidelines and best practices that businesses may use to reduce the frequency and severity of Business Email Compromise attacks.
MFA should be enabled for all accounts and workflows
Enabling multi-factor authentication (MFA) reduces the chances of accounts being compromised and used to cause further damage. Organizations should at the very least enable MFA for CXOs, employees with the authority to administrator accounts and initiate payments.
In the age of remote work, it’s also critical for users to build their own authentication methods when none are accessible. If they receive a suspicious email from a recognized vendor requesting an urgently fulfilled invoice, they can text or call the vendor to confirm that they sent the email.
Do not rely on native email security alone
Organizations have increased their adoption of cloud email due to a remote human perimeter, which allows them to simplify email distribution and reduce their dependency on Secure Email Gateways (SEG). Native security from cloud email providers, on the other hand, should be the foundation of the email security stack, not the entire stack.
To determine what they have already invested in, businesses should perform a comprehensive audit of their native email security capabilities. Once organizations understand what their native email security can and cannot do, they should make a strategy for enhancing these built-in capabilities with security measures that are purpose-built to prevent Business Email Compromise attacks.
Read every email rationally
BEC attacks do all they can to get victims to act before they think, banking on the fact that they are too distracted to rationally engage with the email. Employees may not be able to read every email in a rational manner, but there must be a starting point.
In emails involving the transfer of money or confidential information, teams need to be wary of deadlines provided at short notice. Even if they come from trustworthy people and agencies, it’s important to be careful of unusual purchase requests. Payroll departments should keep a close eye on emails from workers who share new direct deposit information. When vendors exchange new banking information for invoice fulfillment, accounts payable teams should have additional channels of authentication in place.
Organizations should also have reporting policies that require all staff to report any suspicious emails to the security department in order to prevent Business Email Compromise attacks. The latter will look them over and, if they’re found to be valid, will give the relevant employee permission to act on them.
Even the well-trained employee can have concerns about such emails, so such reporting policies are critical. Regular employees (even those who have been trained in information security) cannot be expected to have the same level of expertise as information security professionals.