Business email compromise (BEC) is a prevalent email threat to organizations and a lucrative business for hackers. BEC attacks have increased and become more sophisticated in recent times.
By Rudra Srinivas, Senior Feature Writer, CISO MAG
In a BEC attack, hackers use social engineering tactics to steal the credentials of business email accounts. Further, BEC emails are sent to unwitting employees by spoofing the identity of high-ranking executives. Threat actors trick employees into performing activities under the guise of legitimate business operations.
Increase in BEC Attacks
Though BEC emails do not have any malware payloads, they can cause severe financial damage to the victim organizations via various fiscal fraud campaigns. As per the 2021 Business Email Compromise Report, BEC attacks are the most financially damaging security threats. Out of all security incidents reported by organizations in 2020, BEC attacks accounted for 50%, resulting in other kinds of threats like loss of data (16%), compromised accounts (36%), and payment fraud (16%).
Three Steps to Prevent BEC Attacks
Despite implementing several email security measures, organizations are still suffering from BEC attacks. Here are the three Ps you need to defend your organization from BEC threats:
1. Monitor Your ‘Process’
BEC email attackers usually target employees in the financial department to clear payment approvals by impersonating the company’s C-suite executives. Organizations should enhance their payment approval process to ensure that every payment request is legitimate. Organizations should re-evaluate their payment authorization policy to avoid misuse of the process. Instead of allowing unlimited authorization to a single individual or department, organizations should establish multiple approval levels for any payments.
2. Educate Your ‘People’
Email spoofing and spear-phishing attacks are the most common type of BEC attacks. Employees should be able to identify phishing emails/messages to avoid unnecessary mishaps. A single act of an ignorant employee could cost a fortune to organizations. Employees in every department need to recognize the sender before clicking on links sent via external sources. Human firewall is crucial to disinfect human error.
3. Enhance Your ‘Protection’
Ask your employees to follow basic email hygiene practices to prevent unauthorized intrusions. While deploying the latest anti-virus software, thwarting malicious payloads distributed by email and implementing email authentication services like DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) will prevent email spoofing. Besides email security, enforce strong password and authentication management policies to boost the security of business email accounts.
Simple mistakes could disrupt the entire organization’s security defense and risk its most valuable asset – data. Hence sound security practices – from authentication to awareness – are key to enterprise cyber hygiene.
About the Author:
Read More from the author.