Censornet | Business Email Compromise

Business Email Compromise (BEC) – [Blog]

For a relatively simple attack, Business Email Compromise (BEC) costs organisations globally a staggering amount of money.

The Anti-Phishing Working Group (APWG) estimates that the average sum that a BEC group will try to steal from a targeted company is now around $80,000 (£61,000) per attack, according to a report they published during August 2020.

The FBI estimate that successful BEC attacks have funnelled $26bn into the pockets of cyber criminals in the three years to July 2019. This is more than the GDP of Iceland.

What is Business Email Compromise?

In essence, Business Email Compromise is when an attacker pretends to be someone they aren’t on email, typically a company executive or senior manager, to convince an employee to divert funds into a back account controlled by the attacker or to trick them into sharing sensitive databases or IP with the attacker.

There are two main types of BEC attacks, those which use a compromised email account and those which come from a spoofed email address, aiming to look like they originate from a specific individual at a legitimate domain.

To carry out the first kind, the attacker will need to compromise the email account of an important person inside the target company. Mass migration onto platforms such as Office 365 has made this easier, putting a fresh set of user credentials for the CEO or CFO just a phish and a fake login page away.

Once the attacker has the requisite username and password, they sit quietly in the background watching and learning who does what and how the owner of the hijacked account communicates before striking.

Less advanced Business Email Compromise attacks work in a similar way but instead of the request originating from a senior team member on your mail server, they use a ‘nearby’ or ‘cousin’ domain. For example, janedoe@acmeecorp.net instead of janedoe@acmecorp.com.

How do I protect against Business Email Compromise fraud?

As always with a shifting threat landscape, it is important to understand how to evolve your security posture to reflect the new problem.

Training is crucial in helping to address the social engineering problem.  Ultimately spear phishing takes advantage of human vulnerabilities and with people, education is the only patch.   And with many attacks targeting the finance team, it seems clear that finance teams should be on the top of the list for regular, iterative phishing awareness training. 

Training should be combined with a progressive email security solution which operates the necessary layers to address the nuances that a BEC scam include.  A comprehensive solution that includes functionality to quarantine and drop emails when they are seen to be malicious, as well as offering more advanced executive monitoring capabilities such as matching real names in multiple address fields.

To ensure communications are coming from legitimate domains, it should also integrate domain and IP analysis.  This will inhibit an attacker who tries to set-up domains close to, but not exactly matching, the authentic one.  It should also penalise domains which have recently been registered.

Business Email Compromise is a problem borne of people and executed by people, but it is one which requires a hybrid of technology and humans to address.

For more insight on how you can secure your organisation against BEC and more advanced threats, arrange a conversation (mailto: sales@qual.co.uk) with one of our experts.