Business Email Compromise (BEC) continue to impact businesses of all sizes, exploiting human trust to siphon funds or steal sensitive data. These scams often appear to originate from legitimate sources like CEOs, colleagues, or vendors, making them particularly deceptive.
Business Email Compromise comes in many forms, from impersonation of a member of staff or supplier (spoofing an email address, or changing the display name) to compromising legitimate accounts and sending emails from within that organisation.
To combat BEC attacks, a multi-layered approach is required that addresses technical vulnerabilities and promotes an effective security cultural.
Technical Controls: Fortifying Your Defences
DMARC Implementation: Deploy Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC authenticates emails supposedly sent from your domain, preventing spoofing attempts.
SPF and DKIM Protocols: Utilise Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols to further authenticate legitimate emails and flag suspicious ones.
Email Filtering and Anti-Spoofing Measures: Implement robust email filtering solutions with advanced anti-spoofing technology to identify and quarantine suspicious emails before they reach employee inboxes.
Multi-Factor Authentication (MFA): Enforce MFA for all user accounts, especially those with access to financial resources or sensitive data. This adds an extra layer of security beyond passwords.
Data Loss Prevention (DLP): Implement DLP solutions to monitor and restrict the unauthorised transmission of sensitive data via email.
Cultural Challenges: Building Awareness and Resilience
Employee Training: Regularly train employees on BEC scams, teaching them how to identify red flags in emails, such as urgency, unusual requests, grammatical errors, and sender discrepancies.
Phishing Simulations: Conduct simulated phishing exercises to test employee awareness and preparedness. This helps identify areas for improvement and reinforces best practices.
Culture of Verification: Cultivate a culture of verification within the organisation. Encourage employees to double-check instructions, particularly those involving financial transactions, by contacting senders via separate channels to email.
Reporting Mechanisms: Create and promote clear and accessible reporting mechanisms for employees to report suspicious emails or potential BEC attempts. This will facilitate prompt investigations and minimise any potential damage.
The Top 3 Steps to defend against Business Email Compromise
Authenticate Email, Filter the noise: DMARC is a useful control, that works best if implemented by all organisations. It presents confidence in the authenticity of your emails, and those you receive. Enable email filters to ensure only authenticated emails are permitted through.
Enforce MFA for all accounts: MFA significantly increases the difficulty of unauthorised access, even if an attacker compromises a user's password. Ensure complete coverage of MFA, else attackers will simply find the path of least resistance.
Train, Test, Improve: Train your employees on typical BEC tactics and how to report them. Regularly conduct phishing simulations to raise awareness, and to measure reporting rates. Use the results to refine your training programs and security controls.
Building a robust defence against BEC requires continuous vigilance and adaptation. By staying informed about the latest tactics, implementing technical controls and educating your employees, you can safeguard your organisation's financial resources and sensitive data.