How companies can defend against business email compromise

In 2022, across our emergency incident response engagements, we observed a significant rise in business email compromise (BEC) attacks making it a preferred tactic for financially motivated cybercriminals.

Hackers are opportunistic and often financially motivated, looking to make the most profit from the least effort. And tools like BEC allow cyber criminals to target multiple organisations and individuals simultaneously.

Understanding business email compromise

Our incident response engagements have identified two common methods used to steal money with BEC tactics: email chain injection and C-level fraud.

In email chain injection, the threat actor intercepts a payment-related email chain, impersonates the compromised account owner, and requests changes to payment information.

Meanwhile, C-level fraud involves the compromise of an executive’s email account, with the threat actor posing as the executive to instruct finance or accounting staff to transfer funds to a specified bank account, often creating a sense of urgency.

Business email compromise attacks often start with phishing emails that trick recipients into visiting fake login pages, enabling threat actors to steal their credentials so it’s crucial that organisations look at what controls they need to have in place to help protect employees from inadvertently responding to these threats.

Security controls against BEC

From the technical standpoint there are controls that organisations can implement which make it harder for employees to access these malicious websites.

One effective measure is using a web filter that blocks known malicious sites, newly created sites and those without reputation scores. Running alongside this, tools in mail security solutions can defang or redirect phishing emails that contain malicious hyperlinks embedded in them.

Multi-factor authentication (MFA) is highly effective in limiting threat actors’ ability to misuse credentials which do get compromised. MFA safeguards against credential-based attacks on network perimeters, such as remote desktop protocol and virtual private networks.

Another approach is geo-blocking, which restricts logins from countries where users are typically not located. Disabling legacy authentication methods, such as IMAP and POP, further reduces the risk of unauthorised access.

Of course, cybercriminals also try to get around MFA controls. Our incident responders have observed an emerging tactic known as “MFA bombing,” where threat actors use a series of MFA prompts to manipulate targeted users into granting access.

To counter this, organisations can require manual entry of MFA codes, completion of numeric challenge-response prompts and provide additional informative prompts, such as displaying a map indicating the origin of the request.

Educating users to verify the request’s origin and location further enhances the organisation’s security posture. By implementing these measures, businesses can strengthen their defense against business email compromise attacks and safeguard their sensitive information.

Working for a secure business culture

From a human perspective there are techniques and business processes which can be rolled out to mitigate user-related security risks. Security training is crucial in educating employees about the risks of BEC and how it impacts the organisation.

Employees should be able to identify warning signs of BEC attacks, verify payment or account changes through trusted communication channels, and report suspicious behaviour to the appropriate business units.

Organisational culture plays a fundamental role in security. Employees should be encouraged to challenge non-standard requests (e.g., payment and account changes).

By adopting a “trust but verify” mindset towards emails, chat messages, or phone calls where even slight deviations from normal operations can raise red flags and protect the organisation from falling victim to BEC attacks.

Employees should feel safe to question and report concerns – as well as mistakes. It’s better for an employee to rapidly and fully report that they may have fallen victim to one of these scams early, so that action may be taken to prevent fraud, rather than hide it and hope for the best.

Controls such as the “two-person” rule, where a second employee reviews and verifies payment modifications, and requiring telephonic/in-person verification of requested changes, organisations can detect and prevent BEC attempts. These controls have proven effective in preventing substantial financial losses in real-world incidents.

Building security into the business

Ultimately, to mitigate from the risks from BEC attacks, organisations need to raise awareness and build security into their business processes.

The motivation for threat actors to continue launching BEC attacks has never been greater than it is now. Organisations must recognise that email security controls alone are not completely effective at mitigating threats.

Threat actors will target every process that requires trust.

In the fight against BEC attacks, having solid technical controls in place will support employees who serve as the last line of defense. Equipping them with the necessary training, resources, and support is paramount in their ability to detect and thwart these attacks effectively.

 Gopan Sivasankaran is the general manager – META at Secureworks

Read: Top 12 tips to keep your business safe from cyberattacks