6 Ways to Beat Back BEC Attacks
Don't assume your employees know how to spot business email compromises – they need some strong training and guidance on how to respond in the event of an attack.
Business email compromise (BEC) campaigns have become a serious business for fraudsters - and companies need to train their employees how to respond.
Just how large a threat are BECs? The FBI Internet Complaint Center (IC3) reported last summer that from October 2013 to May 2018, total losses worldwide for known BEC scams hit $12.5 billion.
Companies are starting to take note by including training on BECs in their security awareness programs. While BECs are typically social engineering crimes in which bad threat actors trick people either via phishing emails, phone or a combination of both to make wire transfers or hand over sensitive documents, there are some situations in which technology can help.
Here are some key insights into BECs and how to prepare for them – and how to respond if one of your users falls for one and you get attacked.
Chris Hadnagy, founder and CEO of Social-Engineer Inc., says security pros often believe that business email compromises (BECs) are common knowledge, but they aren't. He says many users don't know the difference between phishing and more targeted spear phishing, and many don't know that vishing is the voice version of a BEC. There are also combination attacks where the bad guys will follow up an email with a phone call pressuring an employee to make a wire transfer. Organizations must educate users so they are aware of the threat and understand the different types of attacks.
Social-Engineer's Hadnagy says employees shouldn't have to worry that they will lose their job, or get into trouble with law enforcement, if they are the victim of a BEC scam. Create an open environment where it's clear to whom and where to report an incident - and reward positive outcomes. While a financial reward can work for an employee who identifies and stops a social engineering attack that saves the company thousands of dollars, public recognition in a company-wide email or an open company meeting can also be effective and appropriate.
Firing an employee who falls for BECs should always be a last resort, he says.
Bob Adams, cyber resilience strategist at Mimecast, believes that there should be consequences if an employee falls victim to a BEC more than once. He says dismissal should be a last resort, and only if the employee has received intensive supplemental training and at least two or three warnings yet still gets duped.
Andy Norton, director of threat intelligence at Lastline, says when new employees start with the company, their on-board training should include security awareness that defines the nature of social engineering threats and how employees should respond. (Companies also should establish clear guidelines for how and when a funds transfer can actually happen.)
Teach users to avoid getting rushed into responding to BEC messages: threat actors often create a sense of urgency that flusters the victim and can hurry him or her into falling for the scam, he notes.
Predefined and specific communications policies are key as well, according to Adams. Users should be clear on who to call in the event of a BEC attack, whether a specific IT person or the company help desk, for example. If a large sum of money has been lost, the finance department should be contacted and it should be clear who is designated to call law enforcement.
Lastline's Norton says while there's no quick security tool fix to BECs, there are situations where technology can be useful in detecting them. Behavioral analysis tools, for example, can analyze incoming attachments and URLs for malware in emails that contain malicious payloads, often for the purpose of stealing user credentials.
Mimecast's Adams adds that companies often have multiple security tools but don't take advantage of all the features they already have available to them. For example, they may have email security set up, but haven't enabled or optimized the settings for phishing. Before buying yet another tool, see if there are features in existing products that can help the security team block suspicious emails. Adams says companies can also use technology to develop training modules, videos, phishing tests, and follow-up reports.
Business email compromise (BEC) campaigns have become a serious business for fraudsters - and companies need to train their employees how to respond.
Just how large a threat are BECs? The FBI Internet Complaint Center (IC3) reported last summer that from October 2013 to May 2018, total losses worldwide for known BEC scams hit $12.5 billion.
Companies are starting to take note by including training on BECs in their security awareness programs. While BECs are typically social engineering crimes in which bad threat actors trick people either via phishing emails, phone or a combination of both to make wire transfers or hand over sensitive documents, there are some situations in which technology can help.
Here are some key insights into BECs and how to prepare for them – and how to respond if one of your users falls for one and you get attacked.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024