The sophistication of Business Email Compromise (BEC) attacks means that cybercriminals are gaining access to more sensitive data and businesses have to up their defences, it’s claimed by an IT services firm.
The UK official National Cyber Security Centre (NCSC) recently issued new guidance for businesses on the threat facing them from BEC attacks. The sophistication of BEC attacks means that they have had a huge amount of success over recent months and businesses have to be better prepared to counter the threat.
About BEC
BEC is a form of phishing, but whereas most phishing attacks are general and broad, BECs are tailored to individuals within an organisation, and may appear extremely convincing. More general phishing attacks rely on a scattergun approach, sending millions of emails in the hope that a few are opened. However, BEC requires more investment from the cybercriminal and so tends to target โbig fishโ, often senior executives or employees with access to particularly valuable data.
The NCSCโs new guidance encourages firms to reduce digital footprints (reducing the amount of information about senior executives available publicly), train staff to be able to identify such attempts, set-up two step verification processes, restrict the number of employees that can make significant payments without further authorisation whilst also planning for the worst and how to be robust in the face of a successful BEC attack.
AJ Thompson, CCO at the IT consultancy Northdoor plc, pictured says: โIn the face of an increasingly sophisticated threat, this new guidance from the NCSC makes complete sense. Businesses have to be aware of what this threat now looks like and employees need to be educated. Variations of BEC have been grabbing the headlines. We recently saw cybercriminals successfully get their hands on ยฃ20m after an employee at Arup was duped by a digitally recreated version of the companyโs CFO via a video conference. This level of sophistication is rare but does highlight the level of investment that cybercriminals are willing to invest to get huge pay-offs.
โThe more common approach is for an email to come in from a senior executive. Everything about will look authentic, but somewhere in the conversation, a request for a transfer of money or access to data will be made. If convinced the employee will do as their โsenior managerโ has asked of them and be none the wiser until the money is missed or the data leaked.
โMuch of the advice from the NCSC is common sense. Reducing the amount of information about senior executives available online makes the job of making a convincing replica all the more difficult. Two-step verification also adds layers of complication for the cybercriminal, as will reducing the number of employees able to make large payments. The most critical piece of guidance though is the education of team members. It is after all, employees, that are targeted by BEC so ensuring that they have an understanding of what a potential BEC attack looks like and how to effectively deal with anything suspicious, immediately nulls the threat.
โHowever, much of this guidance, whilst important, is simply adding to the already substantial workload of IT and security teams. This is also often in the shadow of reducing budgets. It is clear that BEC now represents a real threat to businesses but without the adequate resources to counter it, businesses are stuck. Some are turning to consultancies that can offer the expertise that might be lacking internally, as well as the assurance that threats will be dealt with, staff educated and a worst-case scenario business continuity plan. Taking the onus off already stretched internal teams is a good way of ensuring BEC attacks do not slip through the gaps whilst empowering staff to identify and deal with potential threats.โ
