Many of the most skilled cyber attackers don’t need to use exploits to access an enterprise network. In fact, in many examples of Business Email Compromise (BEC) attacks, all it takes is a simple phishing scam to trick the user into handing over their login credentials.
In these attacks, a hacker will send an employee a phishing email posing as a trusted individual to trick the victim into handing over sensitive information about the company, sending money, or sharing intellectual property.
BEC attacks are prevalent among cyber criminals because they rely on manipulation rather than brute force.
Research shows that 71% of organizations experienced BEC attacks over the past year. At the same time, 35% of organizations state that BEC/phishing attacks account for more than 50% of security incidents.
This article will examine five examples of business email compromise attacks that you need to know to ensure your employees are protected.
How Most BEC Attacks Work
Generally, a BEC attack begins when a cyber criminal gathers intelligence on a target company. During this intelligence-gathering phase, the criminal will collect publicly available information about company personnel (such as names and titles) from press releases, social media accounts, and website content.
Using this information, the cyber criminal will then attempt to gain access to the company email system with a phishing email or spoof the email account of a key employee.
After gaining email access, the attacker will send targeted, high-pressure emails to employees to trick them into handing over protected information. This often works because the employee sees the email is from a trusted individual like a colleague or lawyer and doesn’t think twice about handing over information or funds.
Part of the challenge with mitigating these threats is that most employees don’t know how to spot phishing scams. According to the 2021 Gone Phishing Tournament Report, 19.8% of employees click email phishing links.
5 Examples of Business Email Compromise
Most attackers use some variation of 5 examples of business email compromise. These include:
1. Bogus Invoice Schemes
In these scams, a cyber criminal will take over the employee email account used to process invoice payments and fund transfers. The attacker will then use the account to ask another employee to transfer the funds or pay an invoice to the fraudster’s account.
2. CEO fraud
A cyber criminal steals the email account of a CEO or c-suite executive and uses this to trick other users into giving up sensitive information or money. The hacker will send the victim an email with a subject line requesting a money transfer.
3. Account Compromise
One of the most common BEC attacks is where the hacker obtains access before mining the employee’s contact list for company vendors, partners, and suppliers. The attacker will then message these contacts requesting payments be sent to a fake account controlled by the cyber criminal.
4. Attorney Impersonation
Sometimes cyber criminals will even go as far as impersonating an organization’s attorney to contact company employees or the CEO and request funds. Skilled attackers usually do this on Friday afternoons or before the holidays when workers rush to get things done and don’t think to question the details.
5. Data Theft
Intruders often take over the company email of one or more Human Resources staff so they can send requests for confidential information about employees, partners, and investors. The cyber criminal later uses this data as part of a wider BEC or cyber attack against the company.
How to Prevent BEC Attacks
Security leaders can take some simple steps to prevent BEC from taking place. These include:
1. Raising awareness of examples of BEC attacks
Educate your employees about the five types of BEC attacks. Use phishing simulations to teach employees how to identify BEC and phishing attempts.
2. Issue regular security awareness training
Provide employees with regular security awareness training and phishing simulations to keep BEC and social engineering risks top of mind. You can support this further by creating internal cyber security heroes committed to keeping your organization cyber secure.
3. Monitor employee awareness
Encourage security leaders and cyber security heroes to monitor employees’ BEC and phishing awareness with regular phishing simulations. Use microlearning modules to educate, train, and change the behavior of employees who are struggling.
4. Send ongoing communications about threats
Provide employees with ongoing communication and campaigns about cyber security, BEC, and social engineering. This includes establishing strong password policies and reminding employees about the risks of emails, URLs, and attachments.
5. Set network access rules
Establish network access rules to limit the use of personal devices and prevent the sharing of information outside the network’s perimeter.
6. Update all infrastructure
Ensure all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware and anti-spam software.
Like all cyber threats that rely on manipulation, it only takes a single employee to make a misguided decision to click on a malicious link or hand over personal information before dealing with a data breach that impacts your entire organization.
By giving employees a heads up on some common examples of business email compromise attacks, you provide them with the tools they need to spot manipulative phishing emails. You also reduce the chance of an attacker being able to trick your users into giving up sensitive information.
Want to find out how security awareness training can help you defend against phishing and BEC attacks?
Reserve your timeslot for a fun, exciting solution walkthrough. It’s like speed dating, only without any disappointment or gong noises.