Business Email Compromise attacks and five steps to avoid them

Short for business email compromise, BEC is one of the fastest growing scams that targets organisations. Here’s how it works: a cybercriminal gains access to the email address of a senior executive. They spoof the address so that they can send ‘official’ looking emails requesting money or sensitive information. There is usually a sense of urgency to the request (we need to pay this supplier immediately, please see their account details!) and because a senior executive is making the request, employees jump to obey without questioning the request.

A new report from Barracuda found that most BEC attacks first target employees who aren’t in executive or financial roles. Executives are the most valuable targets, but attackers will look for the easiest way into an organisation and then use that access to find more valuable accounts. Once they have the information they need, the scam is on.

According to the report, 77% of BEC attacks targeted employees in other departments, suggesting that when a requested action is followed, it’s unlikely the email recipient knows the sender (or perceived sender) personally, making the scam more likely to work.

Barracuda also found that one in five BEC attacks target employees in sales roles. This is because sales reps are used to getting external messages from senders they haven’t communicated with before and they are connected to most departments in the business, including finance. They are the perfect entry point into an organisation for hackers.

IT is also a prime target for many of the same reasons, although there is the added danger (or opportunity, when viewed from the hacker’s point of view) of IT staff having access to business-critical applications. Compromising these accounts can be extremely valuable to hackers as it will give them access to an organisation’s security and IT infrastructure.

1. Identify your high-risk users: Begin with the starting point that everyone is high risk and then narrow it down to C-level executives who can make requests that are unlikely to be questioned, and departments that interact with the entire business, including HR, finance and IT staff. This list should have more controls and safeguards in place, but everyone should be aware of how BEC works and why they could be a target.

2. Train extensively and regularly (and test what you train): No matter how good your prevention steps, security measures and processes are, breaches are inevitable. User education plays a big part in minimising the dangers of BEC fraud. The biggest lesson is this – when in doubt, double-check an order (not in reply to the mail. Pick up the phone). A red flag will always be an unusual sense of urgency. Reiterate to all employees that no one will ever get into trouble for being careful with IT security.

3. Put a policy in place: Every organisation should establish a security policy that is regularly reviewed to identify gaps. A policy is useless unless it is followed, however, so monitor how well employees (and senior executives) adhere to it. It should include things such as:

• • Not opening attachments or clicking on links from an unknown source
  • Not using USB drives on office computers
  • Password management policy (no reusing passwords, no post-it notes on screens as password reminders, etc.)
  • Require security training for all employees
  • Review the policy on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when on site.

4. Follow procedures: review all social profiles for job duties and descriptions and identify any publicly available email addresses and lists of connections. Have firm protocols relating to payments and the sharing of information that cannot be sidestepped – even by C-Suite executives. Ensure staff study the security policy and enforce it:

• • Establish a schedule to test the cyber incident response plan
  • Determine how executive leadership is to be informed about cyber threats and their resolution
  • Register as many company domains as possible that are slightly different to your actual company domain to protect against spoofing

5. Put technical controls in place: These include email filters, two-factor authentication and managing access levels for all employees. If an employee doesn’t need access to certain data on a network, they shouldn’t be able to access it.