Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Three Ways Your BEC Defense Is Failing & How to Do Better

Business email compromises cost the economy billions of dollars. Experts have advice on how to stop them from hitting you for millions at a pop.

(image by maho, via Adobe Stock)

According to the FBI, business email compromises (BECs) were the most economically damaging cybercrimes of 2019, responsible for more than $1.7 billion in losses. And companies may feel a very keen sting indeed from just one BEC: In just the past six months, Toyota lost $37 million, Nikkei lost $29 million, and even a Texas school district was smacked with $2.3 million.

While some of the attacks use server or account exploits as a vector, most depend on a human being on the victim's side to open the door for the criminal to enter.

The human factor means there are multiple things to consider when it comes to defense plans. The question for many organizations is how to balance human factors and technology when figuring out how best to allocate dollars to cyber defense. 

You can start by avoiding these common mistakes.

Underestimating the Challenges at the Front Line
The front line in the BEC battle is in front of the keyboard. "Staff needs to be educated against the threat of BEC scams and have practiced using a defined process to respond to suspected BEC scams and other social engineering attempts," says Richard Gold, head of security engineering at Digital Shadows.

"The employee remains the last measure of protection or the last stand against BEC attacks for many organizations when all other security measures fail," says Mark Chaplin, principal at the Information Security Forum.

And that last measure is under attack from more than just criminal organizations.

"Work deadlines, family commitments, and personal biases represent just some of the factors that can prevent an individual from applying the necessary caution before acting on a contaminated email," Chaplin explains.

The stresses he mentions, and many others, are concerning because criminals have developed considerable expertise in exploiting their victims' weaknesses.

"Criminals have become more sophisticated by considering the psychological aspects of an attack," Gold says. "This has resulted in the most skilled, qualified, and security-aware employees falling for a well-crafted, targeted attack."

That attack increasingly will use a vector that too many organizations fail to address in training.

Overlooking a Key Attack Vector 
"While many organizations have implemented cybersecurity training with an emphasis on email — training users to identify phishing attacks — most efforts focus entirely on desktop email clients where users can easily check for phishing indicators," says Chris Hazelton, director of security solutions at Lookout. "It's with mobile email where this training falls short, both in focus and application." He says that most of the indicators of phishing don't really exist on mobile email clients, which tend to obscure full email addresses and limit the ability to preview hyperlinks.

These training gaps and technology weaknesses are allowing attackers to use BECs as the front end of attacks that have economic repercussions now and later.

"We're seeing the attackers gain access to the mail system and then wait. They're inside the system, and the dwell times we're seeing is a minimum of six to seven months before they actually initiate the attack," says Tom Arnold, co-founder, vice president, and head of Forensics at Payment Software Company, part of NCC Group. "They're actually mapping out what this organization looks like, and they're looking at the internal organization much the same way you or I would map networks and figure out which machines do what."  

Insufficient Authentication Measures 
BEC attacks can take several forms, but for many cybersecurity experts there's a single point at which many can be stopped: authenticating the user or process that tries to access network assets.

"BEC scams, similar to identity theft scams, rest on insufficient authentication of the people or organizations involved in a financial transaction. Any financial transactions that involve large sums must use strong authentication mechanisms in order to prevent losses," says Digital Shadows' Gold. For Gold, as for many others, enhanced authentication is one of the technological foundations of anti-BEC strategy.

Multifactor authentication could help companies defend against the very carefully crafted attacks that many criminals use as springboards to comprehensive campaigns.

"The majority of the attacks we've seen have been attacks to try to obtain credentials, and once they have credentials, they log in and begin masquerading as users," Arnold says. "And to a large extent, they log in and just monitor what's going on to figure out how to craft their continuing attacks."

And while multifactor authentication can add friction to every transaction in which it's employed, not every employee transaction is equally sensitive.

"Add multifactor authentication to critical and sensitive financial applications to prevent unauthorized access by criminal groups," says James McQuiggan, security awareness advocate at KnowBe4. "At a process level, add multilevel or tiered authorization requirements for various dollar amounts before allowing employees to send money."

The additional authorization with multifactor authentication, he says, can prevent a single person from approving or sending large amounts to a vendor (or criminal).

"A lot of people would sort of yawn at BECs — they're not sophisticated," says Arnold. "It's not like an APT group coming in from China or something like that. It's really not super-sophisticated, but then again, it's very, very lucrative."

Related content:


About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights