By Robert Haist, CISO, TeamViewer
In a world where businesses are rapidly digitizing and email communication is prevalent, BEC attacks pose a substantial threat to organizations of all sizes and sectors. To combat this growing menace, it’s imperative for all businesses to adopt a multi-layered security approach, focusing on zero trust principles and comprehensive employee education. Business Email Compromise (BEC) attacks – scams designed to give cybercriminals unauthorised access to confidential information or lure victims into transferring funds – are skyrocketing. In fact, according to a report by Abnormal Security, in 2023, BEC attacks skyrocketed, with monthly attacks per 1,000 mailboxes more than doubling to 10.77, a staggering 108% increase compared to 2022. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes. This trend has been triggered by the shift to hybrid and remote work and the accompanying change in employee habits and the security landscape.
BEC attack frequency doubled in 2023, and it is expected to increase again this year, largely due to the massive ROI it promises cybercriminals. Based on FBI data, successful business email compromise attacks typically incur costs exceeding $125,000 on average. To safeguard against this widespread threat, organizations must maintain a high level of security awareness and implement robust security programs.
Empowering employees: Your first line of defence
Security awareness training empowers employees to actively combat phishing attacks, including Business Email Compromise (BEC) scams. Phishing emails are increasingly sophisticated, using social engineering tactics to bypass filters and deceive even vigilant employees. Attackers often use information from social media or previous data breaches to impersonate executives, colleagues, or vendors convincingly. By creating a false sense of urgency, they can easily trick untrained staff into revealing sensitive information or authorizing fraudulent payments.
Traditional training methods are no longer sufficient to prevent successful attacks. Modern security awareness programs need to be dynamic and engaging, simulating real-world scenarios and teaching employees to recognize email red flags and social engineering tactics. For instance, employees should learn to identify signs such as spoofed sender addresses and grammatical errors, and to be cautious of unexpected requests, especially those involving financial transactions or changes to account information. Staff should be encouraged to independently verify information through established channels.
Zero trust: The centre of a secure remote landscape
Even with extensive employee training, some BEC scams can bypass human vigilance. Comprehensive security processes are essential to minimize their impact. The zero-trust security model is crucial here. It assumes no inherent trust for anyone, inside or outside the network. With zero trust, every user and device must be continuously authenticated before accessing any resources. This makes it much harder for attackers. Even if they steal a login credential, they can’t automatically access the entire system.
A key component of zero trust is multi-factor authentication (MFA) which acts as multiple locks on every access point. Just like a physical security system requiring multiple forms of identification, MFA requires not just a username and password, but an additional verification factor like a code from a phone app or fingerprint scan. This makes unauthorised entry, including through BEC scams, much harder. So, any IT infrastructure implemented must have zero trust and MFA at its core.
A complement to zero trust is the principle of least privilege access; granting users only the minimum level of access required to perform their jobs. Imagine assigning keys that only unlock specific areas within the castle, not the entire grand hall. This minimises the damage if credentials are compromised because attackers can only access the data and resources assigned to that specific user.
Companies should also employ continuous monitoring and risk-based access decisions, akin to guards patrolling a fortress. Using advanced analytics, security teams can detect suspicious behaviour and implement risk-based access controls. For instance, access from an unrecognized location might prompt stronger authentication or additional approval. Additionally, network segmentation is crucial for containing threats. By dividing the network into smaller compartments, even if attackers breach one section, their movement is limited, preventing them from compromising the entire network.
A multifaceted approach is key to BEC defence
Building a robust defence against BEC attacks requires a layered approach. Implementing a layered defense strategy, including comprehensive security measures based on zero trust principles, is crucial. However, this alone is insufficient. Businesses also need to empower their employees to make informed decisions. Investing in ongoing security awareness training that includes real-world scenarios is vital for teaching employees how to identify and report suspicious activity effectively.
Furthermore, given the increasing sophistication of BEC attacks and their global impact, it is imperative for Indian businesses to merge these strategies with their existing security frameworks. This integration will not only enhance their defense against BEC attacks but also fortify their overall cybersecurity posture.