Despite widespread awareness of the threats posed, email remains the most common vector of malware transmission, with around 54% of successful attacks launched via spam/phishing emails. From the use of social engineering in phishing to the hacking and spoofing of email accounts involved in business email compromise, cyber criminals employ various techniques that require the application of an equally varied range of defence mechanisms.
Encryption, traditional spam filters, and anti-virus protection all have a crucial role. Still, unfortunately, these tools have critical shortcomings when it comes to protecting against one of the fastest-rising email-based threats: business email compromise.
What is business email compromise (BEC)?
Business email compromise involves hackers assuming one or multiple email identities within on organisation either via email hacking or spoofing. They will then leverage the acquired identity typically to compel employees to disclose sensitive information or make/authorise payments. Often BEC attacks target the identities of decision-makers, as such individuals can instruct and command with greater authority.
Traditional filtering tools can be ineffective at weeding out such attacks, as once an account is hacked or an email identity successfully spoofed, the attack email is unlikely to be blocked or routed to a spam folder. Similarly, anti-virus software is often ineffective, as BEC attacks typically use advanced social engineering techniques as opposed to malicious attachments.
Because business email compromise usually involves staff compliance in order to be effective, training employees in spotting such attacks is a critical defence component.
How to thwart business email compromise attacks?
Avoid using personal email accounts
Using personal email accounts in a corporate setting is risky from a security perspective. With such accounts lying outside the scope of internal security governance, applying controls is impossible, and the chance of the identity being compromised is much higher.
Enable MFA and password-less authentication for business email accounts
An email account takeover is the ultimate win for a hacker, allowing them to conduct a BEC attack in a way that is guaranteed to evade technical defences. By enabling multi-factor authentication, which include the likes of biometric elements or one-time passwords, your accounts will be far more difficult to compromise.
Don’t click “reply”
Habitual use of the “reply” button can be risky, as it doesn’t query the sender’s email address. Forwarding emails on the other hand, effectively cross checks the sender’s address, as you’ll have to either manually type or select the address from your email client’s address book – fraudulent senders will be found out!
Be mindful of the information you make publicly available
BEC attacks often take advantage of publicly available information in order to convincingly impersonate key business personnel. Making staff aware of the risks posed by their public digital footprint will reduce the amount of information available to hackers, and make it harder for them to fraudulently assume staff identities. Stress the importance of keeping social media accounts private, and prohibit the sharing of information about your business or its activities.
Encourage staff to “domain check”
Spoofed emails often feature discreetly altered domain names. “@secure_organisation.co.uk” as opposed to the legitimate “secure-organisation.co.uk” for example. Stress the importance of verifying sender addresses, especially when business-critical information is being sought or the sender appears to be a power-wielding individual.
Register similar domain names
By registering domain names that vary slightly from yours, you’ll make it harder for cybercriminals to successfully spoof your email addresses.
Have further authentication procedures in place
Authenticate sensitive data requests or financial instructions by contacting the sender using another communication medium, such as phonecalls or in-person meetings. Use additional contact details from your address book, NOT those provided by the sender. Having procedural documents in place covering business-critical or data-sensitive communications can be a great way to enforce best security practice.
Make staff aware of business email compromise attacks and engender a security-first culture
Business email compromise attacks almost always rely on some element of end-user compliance. It’s therefore vital to educate staff on the threat posed by BEC and other email security threats. While it isn’t necessary to make your team paranoid, a certain amount of “healthy suspicion” can be a great way to improve email security, and encourages staff to apply additional checks when actioning requests or sharing information of a sensitive nature.
In 2021, approximately 20,000 Business email compromise attacks were conducted against UK businesses, and with such attacks becoming more prevalent worldwide it’s vital to be aware of the risk and have the right tools and strategies in place to mitigate them.
We’ve set out some of the ways your team can manage the risk posed by these attacks, but these techniques aren’t infallible, and as we’ve already mentioned, most mainstream email protection tools aren’t effective at thwarting BEC attacks.
So what’s the solution?
In our next article we’ll examine how the power of AI can be used to detect and foil BEC (and other) attacks, by comparing email communications against expected user behaviours. Afterall, human’s play an incredibly important role within email generally, so we think it’s high time that technical defences considered more of the unique human factors within email correspondance.