Sponsored Business Email Compromise (BEC) and Email Account Compromise (EAC) are the most expensive cyber threats facing businesses around the globe. The FBI’s Internet Crime Complaint Center (IC3) reports that both scams have resulted in worldwide losses of $26 billion since 2016 – with $1.7 billion in the last year alone.
No organisation is immune – nearly 90% experienced these types of attacks in 2019. In the past year alone, victims have ranged from the tiny Florida city of Ocala to Japan’s largest media conglomerate, via a national museum in the Netherlands, racking up losses of over $33 million between them.
While the basic methodology is similar, each attack has its own unique personality – a web of ploys and psychological tricks, combining elements of phishing, social engineering, spoofing and wire fraud. In both cases, the attacker, posing as a trusted contact, tricks the victim over email into wiring money or sending sensitive data.
In the event of a BEC attack, these fraudulent emails are sent from spoofed or lookalike domains and display-names. Where EAC is concerned, the attacker takes over the actual email account of someone the victim trusts -- in essence, becoming that trusted person.
Both are incredibly difficult to spot. By their very nature, successful attacks appear convincing. They are carefully designed not to stand out, trigger defences or arouse suspicions. What’s more, BEC and EAC tactics are complex, multifaceted and ever-changing.
This makes defending against them a considerable challenge. Just as organisations thwart one threat, another appears elsewhere in an incredibly high-stakes game of whack-a-mole.
That said, while fighting BEC and EAC is difficult, it’s not impossible. But doing so requires company-wide awareness and understanding of both common attack methods and the best ways to limit their chances of success.
A threat-aware cyber defence
While this type of attack has grown more refined, targeted, and inconspicuous in recent years, there remains a few tell-tale signs of BEC and EAC.
Ensuring every member of your organisation, across all levels, is aware of these red flags will significantly increase your chances of defending against them. Common warning signs include: Time-sensitive requests: The longer an account is spoofed or compromised, the greater the chance of arousing suspicion. Cybercriminals know this. They also know that victims are most likely to make mistakes under pressure.
That’s why fraudulent requests are often time-sensitive.
An attacker may ask for an urgent ‘last-minute change’ to an invoice or make a request at the end of the workday, stressing that it must be completed before the close of business.
Personal requests: Spoofing the personal email address of an executive or employee allows cybercriminals to bypass corporate defences and adds a more personal touch to the scam.
Posing as a legitimate contact, attackers may email to say they are out of the office and have received a request from a critical supplier to change payment information. Victims will be asked to help, ‘just this once’, to ensure payments are not delayed.
Direct requests from the supply chain: An increasingly popular attack method involves the use of supplier identities, whether spoofed or compromised.
Posing as a third-party allows attackers to circumvent internal controls and make direct requests for changes to payment information. This approach also adds an extra degree of separation, as employees may not be as familiar with suppliers as they are with their colleagues.
Fighting an insidious threat
Whatever the threat, a successful cyber defence must always combine technology, process, and people.
Your organisation should be equipped with controls, particularly on email and cloud accounts, to monitor network access, authenticate domains, and flag malicious content.
Beyond this, you need processes in place to verify all requests for expedited payment or changes to banking information. Better still, ensure that any request concerning finance or other sensitive data is authenticated at multiple points, and never solely by email. Next comes the most important tool in your arsenal – your people. Once an account is successfully compromised, any requests sent to or from it are unlikely to trigger network controls.
With the attacker inside your network, it is your people who quickly become the last and only line of defence. The consequences for this line of defence failing can be severe. That’s why you must equip your end-users with the knowledge and education to detect and deter malicious communications.
This is only possible through comprehensive, ongoing, adaptive cybersecurity training that evolves to reflect the latest threat landscape. Training must be much more than a once-a-year box-ticking exercise.
Employees not only need to be aware of common attack methods, but they must also have a deep-seated understanding of the vital role they play in protecting your organisation from those attacks. The result is a culture within which cyber defence is everyone’s responsibility.
None of these strategies alone can protect your organisation from BEC and EAC attacks. But combined, they create a multi-layered, complex, and people-centric defence – one that could save your business from becoming yet another sorry statistic.
Sponsored by Proofpoint