Understanding and Preventing Business Email Compromise

Originally published by CXO REvolutionaries.

Written by Gary Parker, CTO in Residence, Zscaler.

Businesses of all sizes face a growing cybersecurity and financial threat known as business email compromise (BEC) simply because they use email. BEC attacks have become increasingly sophisticated, posing significant risks to all organizations. This article explores the potential effects of BEC and provides insights into how organizations can fortify their defenses to prevent falling victim to this threat.

Understanding BEC

BEC is a cyberattack that includes unauthorized access to and manipulation of business email accounts. Often, attackers skilled in social engineering tactics impersonate executives, employees, or business partners to deceive recipients into taking actions that benefit the criminals. These actions include wire transfers, releasing sensitive information, or making unauthorized financial transactions.

For example, an attacker can contact someone in the finance department via email or phone to impersonate a senior executive. The attacker would tell the finance employee they do not have access to their computer but need an emergency wire sent to a specific bank account. Without the correct controls, the finance person could send the wire to the attacker's bank account. As soon as the wire reaches their bank account, the attacker immediately wires it to another bank account, typically out of the country.

Financial losses to an organization can be in the millions of dollars with BEC attacks, and companies rarely recover the money. Unfortunately for the company, their bank is not responsible for the capital loss, so the entire loss falls onto the company. For some organizations, these attacks can cripple them financially.

1. Financial loss

The most immediate and direct consequence of BEC is financial loss. Attackers exploit the trust existing within an organization, tricking employees into transferring funds or making payments to fraudulent accounts. Recovery is often challenging once money is transferred, and businesses may suffer substantial financial setbacks.

2. Reputational damage

Beyond monetary losses, BEC can inflict severe reputational damage on businesses. Customers, clients, and partners may lose trust in an organization that falls victim to such attacks, impacting its credibility and long-term relationships. Rebuilding trust can be a time-consuming process and may result in the loss of valuable business opportunities.

3. Data breach and intellectual property theft

BEC attacks can also serve as a gateway for cybercriminals to access sensitive company information. Compromised email accounts may contain confidential data, trade secrets, or intellectual property, which, if exposed, can have far-reaching consequences for the business's competitive advantage and market position.

How to prevent BEC

Fortunately, there are a number of practices that can reduce exposure to BEC attacks. While none is a panacea, when combined they make up an often effective roster of overlapping defenses.

1. Employee training and awareness

One of the primary defenses against BEC is a well-informed and vigilant workforce. Organizations should educate employees about the tactics used in BEC attacks, such as email spoofing, phishing, and social engineering. Regular training sessions can empower employees to recognize suspicious emails, verify requests for sensitive information, and adopt a cautious approach to unexpected financial requests.

2. Multi-Factor Authentication (MFA)

Implementing multi-factor authentication adds a critical layer of security to email accounts. Even if login credentials are compromised, MFA requires a second verification method, such as a code sent to a mobile device or a fingerprint scan, before granting access to sensitive information.

3. Secure email gateways

Investing in secure email gateways is crucial for businesses to filter out potentially malicious emails before they reach employees. These gateways use advanced threat detection mechanisms to identify and block suspicious emails, minimizing the risk of employees falling victim to phishing attempts.

4. Strict authorization protocols

Establishing clear and strict authorization protocols for financial transactions is essential. Employees should be required to verify financial requests through additional channels, especially when dealing with large sums of money or changes to payment details. Typically, organizations would implement a policy that requires more than one person to authorize a sizeable financial transaction.

5. Regular security audits

Companies can conduct frequent security audits to identify vulnerabilities in an organization's email system. By proactively addressing potential weak points, businesses can enhance their cybersecurity posture and reduce the attack vectors available to malicious actors.

6. Encrypted communication

Utilizing encryption for sensitive information and financial transactions adds an extra layer of protection. Encrypted communication ensures that even if unauthorized persons intercept emails, the content remains unreadable to unauthorized parties.

7. Vendor risk management

Our modern business economy requires collaboration with vendors and partners, but these external accounts often expand the attack surface and increase the risk of BEC through compromised accounts. Implementing vendor risk management practices, including security assessments and regular communication about cybersecurity expectations, can mitigate this risk.

8. Incident response plans

As with any risk, cyber or other, organizations must have a well-defined, tested, and validated incident response plan to recover from a BEC attack. Organizations should have a comprehensive plan to identify and contain the breach swiftly, communicate with stakeholders, and take necessary steps for recovery. A proactive response can significantly minimize the impact of a BEC incident.

Conclusion

Business Email Compromise poses a substantial threat to the financial and operational integrity of businesses. Understanding the potential effects of BEC and implementing robust preventive measures are imperative for organizations seeking to safeguard their assets, reputation, and sensitive information. Organizations that foster cybersecurity awareness, invest in technological defenses, and adopt best practices will reduce the risk of falling victim to the insidious tactics employed by cybercriminals.