The relentless wave of digital innovation has come with its share of threats. One such rising threat is Business Email Compromise (BEC). In a recent interview, cybersecurity expert John Wilson, senior fellow threat research at Fortra, explored the complexities of BEC and discussed key findings from Fortra’s recent report “2023 BEC Trends, Targets, and Changes in Techniques” on this pressing issue.
Business Email Compromise involves scam tactics aimed at tricking individuals and businesses into revealing sensitive information or performing financial transactions under false pretenses. It primarily operates through the manipulation of business email correspondence.
The Growing Menace of BEC
Wilson underscored the alarming rise in BEC incidents, as noted in Fortra’s report. It is not the complexity of the attacks that make them formidable, but their simple and deceptive nature. Often, a BEC attack will involve a scammer impersonating a senior executive or business partner, exploiting the victim’s trust and urgency to facilitate fraudulent transactions.
During the interview, Wilson illuminated the various tactics employed in a BEC scam. These include phishing emails, spoofing tactics, and social engineering. The fraudsters often invest time in studying the organizational hierarchy, behaviors, and communication styles to make their deceitful requests appear legitimate.
BEC scams can also involve the installation of malware on a target’s system to gain unauthorized access to sensitive data. Fortra’s report further illustrates the scope and diversity of BEC strategies, indicating a need for businesses to enhance their defensive measures.
Attack Pattern One: The Impersonation Game
One common scenario highlighted by Wilson involves impersonating a high-ranking executive within a company – usually the CEO or CFO. The scammer, masquerading as the executive, sends an urgent email to an employee with financial authority, typically in the finance department. The email requests an immediate wire transfer, often with a plausible reason like a confidential business investment.
This tactic relies heavily on social engineering, exploiting the power dynamic within a company. The recipient, believing the email to be from their superior, feels compelled to execute the request quickly, bypassing the usual protocols.
One effective measure against this is the implementation of strict protocols for financial transactions, including dual approval mechanisms. Regardless of the apparent urgency or source of the request, each financial transaction should require approval from two separate individuals. This reduces the likelihood of fraudulent requests slipping through the cracks.
In addition, training employees to be skeptical of unusual email requests, even those seemingly from superiors, can prevent this type of BEC attack. Employees should be encouraged to confirm such requests through a secondary, out-of-band communication channel like a phone call.
Attack Pattern Two: Vendor Swindle
Another BEC tactic is the vendor swindle. Here, scammers impersonate a trusted vendor or partner. They send an email to the company informing them of a change in payment details – usually a new bank account. Any payments to the vendor are then unwittingly redirected to the fraudster’s account.
This BEC variant is especially dangerous as it takes advantage of established business relationships and routines. Due to the perceived legitimacy of the vendor, the request may not raise immediate suspicion.
To guard against this, businesses should establish a verification process for any changes to payment or personal information. Any change request should be confirmed through a secondary method, such as a phone call using the previously established contact details, not the new ones provided in the suspicious email.
Automated systems that can flag changes in email patterns, such as language use or email metadata, can also be used to detect potential BEC attacks. Regular audits of financial transactions, particularly those related to vendors, can also uncover any irregularities.
In both cases, education is key. Regular training for employees to recognize the signs of BEC scams, and to understand the importance of strict adherence to protocols, is crucial. The goal is to foster a culture of security awareness where employees feel empowered to question suspicious activities without fear of overstepping boundaries.
Mitigating BEC Threats: The Way Forward
According to Wilson, effective defense against BEC involves a combination of technology, processes, and education. On the technological front, implementing advanced email security systems, multi-factor authentication, and continuous network monitoring can help detect and prevent BEC attempts.
Wilson stressed the critical role of processes, particularly those related to financial transactions. Implementing protocols such as dual approval for transactions, regular audits, and confirmation through out-of-band communication can go a long way in thwarting BEC attacks.
The Power of Education
Arguably, Wilson was most passionate about the role of education in cybersecurity. As he explained, technology and processes can only do so much if the users themselves are unaware of the risks. Regular training on recognizing and responding to phishing attempts, understanding the risks of information sharing, and staying updated on the latest cybersecurity threats is crucial.
In a rapidly evolving digital landscape, BEC presents a significant risk to businesses. However, as John Wilson’s insights suggest, this threat can be mitigated with the right combination of technology, processes, and education. It’s a reminder that in the world of cybersecurity, vigilance and preparedness are often the best defenses.
