The recent Cloudflare 2023 Phishing Threats Report unravels many interesting statistics about the global landscape of business email compromise (BEC) attacks. BEC is now one of the top cybersecurity threats worldwide. And per the report, 71% of organizations experienced such attacks in 2022.
But what exactly is a BEC attack or scam?
How does it damage companies?
And most importantly, what kind of BEC defenses can help companies to avoid these scams and protect their funds and information?
This article will reveal all the answers!
What is Business Email Compromise?
BEC is a type of phishing scam aimed at stealing money or critical information from an organization. The attacker pretends to be a trusted or known sender, such as a vendor, a government agency, or even the company’s senior management (e.g., the CEO).
They then send an email – purportedly from one of these senders – to one or more people at the target organization. The goal is to get the victim to believe that they’re interacting with a legitimate request and then carry out one of these activities that will benefit the scammer:
- Divulge sensitive information, such as login credentials, business secrets, personally identifiable information (PII), or intellectual property
- Send money to the scammer’s account
- Purchase gift cards on behalf of the scammer
- Pay out a fake invoice or bill
- Take control of a victim’s email account (account compromise) and then send fake invoices to vendors or suppliers and fool them into making payments into a fraudulent bank account
Regardless of their purpose, BEC scams can inflict a lot of financial pain on attacked organizations. According to the Cloudflare report, global BEC losses increased by 17% between December 2021 and December 2022. In 2022, there were almost 22,000 BEC complaints with losses of over $2.7 billion. These facts show that BEC is a big and costly security problem for organizations – bigger and costlier than even ransomware.
All organizations must be cognizant of these threats. More importantly, they must implement proactive BEC defenses to minimize BEC risk and safeguard their financial and data assets.
BEC Defense: 5 Strategies to Mitigate the Threat of BEC Scams
Five proven and proactive strategies for effective BEC defense are highlighted below:
1. Enable multi-factor authentication (MFA)
Traditional password-only authentication cannot prevent BEC attacks since usernames and passwords can be easily stolen and compromised. MFA plugs the security holes created by these older authentication systems by requiring users to provide multiple factors to prove that they are who they say they are. These factors may be OTPs sent to a mobile phone, biometrics like iris scans or fingerprints, physical security tokens, etc.
By requiring multiple authentication factors, MFA provides additional security that protects organizations from BEC scams. This is because an attacker would need to have all the factors on hand – not just easy-to-steal login credentials – to compromise a user’s account and then use that account to steal information or initiate unauthorized financial transactions.
2. Mandate the use of strong, unique passwords
In addition to MFA, strong password policies can help to minimize the risk of BEC attacks. The policy must include all these rules that all employees must adhere to:
- Use strong, long, unique passwords for every account
- Never reuse passwords for the same or any other account
- Change passwords at regular intervals
- Never share passwords with other users
- Never document passwords or leave passwords where they can be viewed or compromised by others
- All passwords must include a mix of letters, numbers, and special characters
- Passwords must not include information that can be easily guessed by anyone, including BEC scammers
These precautions notwithstanding, scammers can still compromise user accounts by guessing passwords or via brute force attacks. To minimize this risk, it’s a good practice to use a password manager. A password manager enables employees to create strong, unique passwords, and to manage, backup, and securely store passwords in a cloud-based digital vault.
A password manager also enables IT and security teams to audit employee passwords, identify weak passwords, and efficiently enforce the organization’s password policies to prevent insider attacks and BEC scams.
3. Implement a PAM solution
Most BEC scams target employees who are authorized to access “privileged accounts” containing sensitive information, such as payroll or accounts payable. It’s crucial to manage and secure all privileged accounts and sensitive information to prevent compromise via BEC scams. Here’s where Privileged Access Management (PAM) comes in.
A robust PAM solution provides visibility into who is using privileged systems and accounts. It also prevents unauthorized users from accessing or compromising them. IT teams can also use a PAM solution to limit the number of privileged users, monitor user activity, and identify anomalous behaviors that may indicate a BEC attack (such as an email from the CEO to a finance officer to transfer a large sum of money to a previously-unknown account).
4. Educate employees to recognize and guard against BEC attacks
Unfortunately, humans are the weak link that allows attackers to initiate and profit from BEC scams. It’s important to strengthen this link to shore up the organization’s BEC defenses. Employee BEC awareness programs are a good way to achieve this aim. Employees must be trained to understand the various tactics attackers commonly use to perpetrate BEC scams, such as brand impersonation, CEO fraud, false invoices, and trick domain names. They should also be educated on the potential costs of such attacks and how they can help to minimize these costs.
In addition, the training program should teach employees:
- How to spot a BEC scam
- How to respond to and report a BEC incident
- How to identify fake email addresses and domains that may indicate a BEC scam
- Why they should be wary of emails that push for urgent action or request sensitive information
- How oversharing work details on social media accounts can allow scammers to launch targeted BEC attacks
- Why they should stay updated on the latest BEC breaches and tactics
5. Strengthen security controls
Strong email security controls can help protect organizations against BEC attacks. For example, email authentication protocols like SPF, DKIM, and DMARC minimize BEC risks by authenticating senders so recipients don’t get fooled by fake email addresses or domains.
That said, the Cloudflare report found that authentication protocols cannot stop all phishing threats so organizations should not rely only on these methods for BEC defense. If anything, they should also follow these security best practices:
- Implement email security solutions that provide advanced protection from BEC and other threats
- Use VPN to secure sensitive data and communications
- Prohibit automatic email forwarding to external (non-company) addresses
- Use proxies to view websites and keep location data private
- Deploy encryption software to authenticate emails
- Implement strong controls to protect financial processes, systems, and transactions
An AI-powered BEC protection platform like Bolster also provides an effective way to strengthen BEC defenses. This cutting-edge solution monitors domains, takes down phishing sites, and provides comprehensive protection against multiple external attack vectors.
Bolster can also automatically detect and remediate many kinds of threats, including BEC scams. With a mean-time-to-response (MTTR) of just 60 seconds and a record of 95% automated attack takedowns, Bolster is the most effective BEC defense available today.
Conclusion: Bolster for BEC Defense
The best BEC defense infrastructure is multi-layered and includes all the measures discussed above plus a powerful brand protection and domain monitoring platform like Bolster. To know more about Bolster’s powerful BEC defense capabilities, ask us for a free trial. Click here to get started.