Business email compromise (BEC) can pose both cyber and financial risks to an organization. According to the Federal Bureau of Investigation (FBI), BEC cost $43 billion globally between June 2016 and December 2021.
BEC and phishing attacks have targeted funds by exploiting social engineering tactics to have victims initiate bank transfers to cybercriminals. In an FBI public service announcement, the organization shared that the Internet Crime Complaint Center (IC3) has viewed an uptick in BEC complaints involving cryptocurrency. The banking industry made up 11% of targets for phishing attacks in 2021, and other financial sector players remained top targets as well, with e-commerce making up 17% of phishing targets.
How to defend against business email compromise
"Banks and banking customers are high-value targets for hackers," said Chip Gibbons, Chief Information Security Officer (CISO) at Thrive Network. Gibbons shared tips for CISOs and security leaders in the financial sector who are combatting phishing attacks and business email compromise.
Multi-factor authentication and spam filtering should be implemented across banks and financial organizations as standard practices, according to Gibbons.
"Once those are implemented, the next step is to look at next-level security layers. For example, conditional access is a practice where a person can only access email from specific geographic locations or specific machines which reduces a bank’s attack surface," he said.
Employee awareness training
Along with cybersecurity tools, bank security professionals can institute employee security awareness training to reduce instances of successful BEC. "Banks that invest in consistent training for their employees, like what to watch out for in phishing emails, can stay ahead of the threat curve," said Gibbons. He recommends monthly or quarterly trainings that last between five and 10 minutes "to keep it fresh and top of mind with employees without losing their interest."
In security awareness training programs, security leaders need to impress upon employees the importance of following up on suspicious activities. "Anytime a person changes their account or how they are paid should trigger a warning," said Gibbons. "Any such changes should be followed up by an immediate phone call to confirm. For example, if you pay the cleaners and they email you that their routing number has changed, then you should follow up with a phone call." This can help identify fraudulent emails before an incident escalates.
Responding to a successful business email compromise
Prevention is key to combatting business email compromise, but "everyone can and will make a mistake at one point in time," said Gibbons. Cybersecurity leaders must be prepared to act in the aftermath of a successful phishing or BEC attack.
"The organization should immediately change the user's password," said Gibbons. "All rules within the compromised account should be reviewed — specifically rules that have any forwarding to outside accounts. The IT or security team should review any logs available to determine what data got accessed, but if the logs are not detailed, they should assume all information in the mailbox was compromised."
Once the extent of an email breach is assessed, "affected individuals that had data within the mailbox should be contacted, as well as any vendors or users that have any financial components such as invoices or payments. Finally, a detailed review on how the email was compromised and subsequent training for the individual."
Preventing and mitigating BEC takes effort from everyone within an organization. By focusing on employee cybersecurity training, implementing standard security measures in the organizational network, and responding quickly to a breach, security professionals can reduce their risk of a successful cyberattack.