Business Email Compromise attacks are a form of cybercrime that uses email fraud in order to attack organisations and is considered to be one of the most profitable and prevalent forms of attacks conducted by cybercriminals.
Someone who knows about these attacks is Jason Johnson, the Co-Founder at Predatech, a cybersecurity company that delivers a range of security testing services, including penetration testing and certifications. Prior to starting Predatech, Jason worked for financial services including Tide, Rabobank and Royal Bank of Scotland
Here Jason shares his thoughts as to whether the “scourge” of business email compromise attacks be stopped.
It’s the start of a New Year and for many, a chance to wipe the slate clean as we emerge from an unprecedented year of disruption. COVID-19 has reshaped the way we live, the way we work, and the way we conduct business. It’s also exposed both businesses and consumers to many new cyber risks and exacerbated existing threats.
Business Email Compromise (BEC) continues to be one of the most widespread and profitable attacks conducted by cybercriminals. According to the US Federal Bureau of Investigation, BEC attacks resulted in losses of over $26 billion globally from June 2016 to July 2019. And these figures are set to continue increasing as cybercriminals continue to experience compelling success rates.
Demystifying Business Email Compromise
BEC attacks, also known as man-in-the-email attacks, involve the attacker posing as, or directly compromising, a business email account in order to coerce an individual into performing certain actions.
A common example of BEC involves the attacker impersonating senior-level executives such as the CEO of a target business. The attacker may create an email address visually similar to the CEO’s and contact a member of the finance department, urging them to make a wire transfer to a fraudulent account. The staff member carries this out unwittingly and it’s only when it’s too late that the victim realises they’ve been defrauded, and the attacker has the money.
Why Businesses Should Be Worried
In 2019 Evaldas Rimasauskas was sentenced to 5 years in prison for the theft of over $120 million in a fraudulent BEC scheme. Victims of his attack included technology behemoths like Facebook and Google.
Tech giants like these falling victim to BEC fraud reminds us that all businesses must remain on guard. Even with cutting-edge security gateways in place, cybercriminals are still finding increasingly inventive ways to bypass these controls.
The fact is that the number of attempted attacks are skyrocketing. According to Abnormal Security, the number of BEC attacks rose 15% from Q2 to Q3 in 2020, a significant increase in such a short space of time. It reflects the increasing popularity of BEC among cybercriminals who want to cash in on the relatively low technical skill required and the high rate of success. In a world where many cybercriminals remain elusive to the authorities, the attraction of BEC looks set to continue.
The mass adoption of remote working has only intensified the number of successful attacks due to email and other digital mediums replacing communication that usually occurs in person. With remote working likely to remain the new norm, especially for businesses based in The City, and many staff members unaware of the sophistication of BEC attacks, too many businesses remain vulnerable.
Finding the Silver Bullet
The weakest link in a business’s security chain is and will likely always be their staff. Even as technology automates the majority of manual tasks, human error still persists. BEC attacks rely on the ability to socially engineer their targets into conducting a required activity. And these attacks are becoming increasingly sophisticated and difficult for staff to detect.
Staff training and awareness is often the greatest weapon against attempted BEC attacks. However, a 2019 survey by GetApp reveals that 43% of workers admit their company does not provide regular data security training. In addition, 8% report never receiving training at all.
Providing security training can often be more challenging than it first appears. How do you keep staff engaged? How much is too much information? Creating compelling training and awareness programs that don’t send staff to sleep, takes a great deal more time and effort than most businesses are willing to invest.
On the technical front, there are emerging human-layer security technologies that use artificial intelligence to detect and quarantine unusual emails. For example, emails with addresses carrying a domain name that is similar to that of the target company. These technologies have become increasingly effective, however, alone they are still too primitive to be relied upon as a catch-all security control. These technologies may also be out of reach for many small businesses.
Combating the growing number of BEC attacks won’t be easy, but if businesses commit more resources to educating staff and supplement this with increasingly effective human-layer security controls where possible, cybercriminals will find it a lot harder to extract cash or valuable information. As long as BEC awareness remains poor, we’ll continue to see attackers successfully dupe businesses and their staff.