One of the most harmful cybercrimes facing security leaders and teams today is Business Email Compromise (BEC). The Secureworks® report, State of the Threat: A Year in Review, found that BEC remains a significant threat and that the “flourishing landscape of loaders and downloaders continues to service the demand of malware-based network access for all types of adversary groups.” As you continue to invest in new layers of security within your organization and educate your fellow leaders, here are our top five facts about BEC that every security leader needs to know.
BEC Fact #1: It’s a huge threat. Mainstream media portrays cyberattacks as the work of hacker masterminds typing away feverishly on their keyboards to get past a company’s firewall. But most breaches are much more pedestrian. The FBI says that BEC is the #1 costliest cyberattack in the U.S.1 That’s not just because BEC attacks are so frequent. It’s also because, according to their 2020 Internet Crime Report, BEC breaches accounted for nearly $2 billion in losses.1
BEC Fact #2: Attackers often use social engineering. BECs sometimes result from the actual hack of an email account. But they’re much more often the result of social engineering—like when someone in the company clicks on a malicious link in an email that looks like it’s from the CEO, or gives away information to a criminal pretending to be an attorney.
BEC Fact #3: BECs are often part of a multi-stage attack. A BEC can be narrowly focused on getting someone to authorize a payment to the attacker’s bank account. However, as noted above, BECs can also follow a preceding breach that enabled the attacker to hijack a legitimate user’s email account. Attackers can also use socially engineered BECs to launch an attack by introducing malware into a victim’s environment—allowing them to then attempt much broader infiltration. So, every BEC must be addressed in the context of the specific attacker’s intent at that particular time and place.
BEC Fact #4: The business must help. While cybersecurity teams have an important role to play in stopping BECs, they also need the rest of the business to do its part. Organizations must ensure that every employee is trained in proper email security “hygiene.” Managers must understand anti-BEC countermeasures—strong passwords, multi-factor authentication (MFA), ongoing education, etc.—and ensure those countermeasures are diligently applied across their departments.
Also, executives at the highest level must champion security as a core element of the organization’s culture. Without this collective effort, organizations will put themselves at serious risk of a breach that can cost them money, damage their brand, and even result in punitive action by regulators.
BEC Fact #5: Cybersecurity teams need the right resources. Because non-technical staff members are so often the “weak link” in the BEC prevention chain, cybersecurity teams may need additional resources to optimally mitigate the business risks associate with BEC. Some of those resources are necessary to limit the likelihood of a BEC scam reaching a business user’s screen. These resources include email policy controls that can flag or even interdict emails based on certain indicators of concern, such as disparities in addresses and IDs.
Other resources are necessary to quickly block the kind of malware, stolen credentials, and other results of any BEC attack that has gotten past the first two lines of defense—i.e., the cybersecurity’s email controls and the business user’s good sense. In addition, technology that can perform early detection of a threat and empower security teams to respond rapidly—before an attacker has time to cause damage – is critical.
It’s a Team Effort
To reiterate, the entire responsibility for BEC prevention can’t be left to the cybersecurity team alone. A sales team’s success depends on good marketing. And a marketing team’s success depends on being provided a quality product or service to promote. And they all depend on strong leadership at the top.
The same is true with BEC defense. It’s a team effort. The good news is that with the right combination of technology, organizational smarts, and ongoing commitment to cyber safety, organizations can dramatically reduce their risk of a costly BEC.1 FBI Internet Crime Complaint Center, 2020 Internet Crime Report