In this comprehensive article, Gopan Sivasankaran, General Manager-META at Secureworks, shares invaluable insights on how companies can bolster their defenses against the ever-evolving threat of Business Email Compromise (BEC). Discover expert strategies to safeguard your organization’s critical assets in the digital age.
“In 2022, across our emergency Incident Response engagements, we observed a significant rise in BEC attacks making it a preferred tactic for financially motivated cybercriminals. Hackers are opportunistic and often financially motivated, looking to make the most profit from the least effort. And tools like BEC allow cyber criminals to target multiple organizations and individuals simultaneously.” Gopan Sivasankaran, General Manager META, Secureworks
Understanding BEC
Secureworks® incident response engagements have identified two common methods used to steal money with BEC tactics: email chain injection and C-level fraud. In email chain injection, the threat actor intercepts a payment-related email chain, impersonates the compromised account owner, and requests changes to payment information. C-level fraud involves the compromise of an executive’s email account, with the threat actor posing as the executive to instruct finance or accounting staff to transfer funds to a specified bank account, often creating a sense of urgency.
BEC attacks often start with phishing emails that trick recipients into visiting fake login pages, enabling threat actors to steal their credentials so it’s crucial that organizations look at what controls they need to have in place to help protect employees from inadvertently responding to these threats.
Security controls against BEC
From the technical standpoint there are controls that organizations can implement which make it harder for employees to access these malicious websites. One effective measure is using a web filter that blocks known malicious sites, newly created sites, and those without reputation scores. Running alongside this, tools in mail security solutions can defang or redirect phishing emails that contain malicious hyperlinks embedded in them.
Multi-factor authentication (MFA) is highly effective in limiting threat actors’ ability to misuse credentials which do get compromised. MFA safeguards against credential-based attacks on network perimeters, such as Remote Desktop Protocol (RDP) and virtual private networks (VPNs). Another approach is geo-blocking, which restricts logins from countries where users are typically not located. Disabling legacy authentication methods, such as IMAP and POP, further reduces the risk of unauthorized access.
Of course, cybercriminals also try to get around MFA controls. Secureworks incident responders have observed an emerging tactic known as “MFA bombing,” where threat actors use a series of MFA prompts to manipulate targeted users into granting access. To counter this, organizations can require manual entry of MFA codes, completion of numeric challenge-response prompts and provide additional informative prompts, such as displaying a map indicating the origin of the request. Educating users to verify the request’s origin and location further enhances the organization’s security posture. By implementing these measures, businesses can strengthen their defense against BEC attacks and safeguard their sensitive information.
Working for a secure business culture
From a human perspective there are techniques and business processes which can be rolled out to mitigate user-related security risks. Security training is crucial in educating employees about the risks of BEC and how it impacts the organization. Employees should be able to identify warning signs of BEC attacks, verify payment or account changes through trusted communication channels, and report suspicious behaviour to the appropriate business units.
Organizational culture plays a fundamental role in security. Employees should be encouraged to challenge non-standard requests (e.g., payment and account changes). By adopting a “trust but verify” mindset towards emails, chat messages, or phone calls where even slight deviations from normal operations can raise red flags and protect the organization from falling victim to BEC attacks. Employees should feel safe to question and report concerns – as well as mistakes. It’s better for an employee to rapidly and fully report that they may have fallen victim to one of these scams early, so that action may be taken to prevent fraud, rather than hide it and hope for the best.
Controls such as the “two-person” rule, where a second employee reviews and verifies payment modifications, and requiring telephonic/in-person verification of requested changes, organizations can detect and prevent BEC attempts. These controls have proven effective in preventing substantial financial losses in real-world incidents.
Building security into the business
Ultimately, to mitigate from the risks from BEC attacks, organizations need to raise awareness and build security into their business processes.
The motivation for threat actors to continue launching BEC attacks has never been greater than it is now. Organizations must recognize that email security controls alone are not completely effective at mitigating threats. Threat actors will target every process that requires trust.
In the fight against BEC attacks, having solid technical controls in place will support employees who serve as the last line of defense. Equipping them with the necessary training, resources, and support is paramount in their ability to detect and thwart these attacks effectively.