According to Verizon's Data Leak Report, Business Email Fraud (BEC) attacks account for more than half of social engineering attacks in 2023! Cybercriminals are not only increasing the number of attacks, but they are also becoming more sophisticated and automated when it comes to fake and spoofed emails.
Today, with the rapid adoption of generative AI, the threat of BEC attacks is growing. Not only are cybercriminals adept at writing persuasive phishing emails with AI, but they are also able to evade detection by traditional email security tools, increasing the reach and sophistication of attacks at scale.
With a surge in BEC attacks in 2024, cybersecurity teams and business managers need to recognize that technical defenses can only mitigate risk to some extent. Common email security defenses include protections ranging from anti-spoofing technologies such as DMARC and SPF to behavioral analysis and other threat detection, as well as protections such as multi-factor authentication (MFA) and strong identity and access management. However, in order to build an effective defense-in-depth, organizations need to implement threat intelligence, people-oriented business and technology policies in layers to minimize risk.
To avoid financial losses, CISOs should work with their legal teams to develop comprehensive BEC policy documents to improve users' resilience to attacksHere are eight key takeaways from the expert's recommended BEC protection policy:
1. Acceptable Use Rules
The top rule categories set by organizations at the business and technical levels are acceptable use standards for employees accessing email and other business systems to thwart BEC attacks. According to Britton, the Acceptable Use Policy (AUP) is the minimum requirement to provide policy-based BEC risk protection.
The AUP includes general security best practices and should pay special attention to phishing and BEC prevention guidelines, which include:Don't click on suspicious file attachments or links, don't disclose sensitive information to third parties, scrutinize invoice payment and payroll change requests, report suspicious attacks, and more.
2. Determine the frequency of security awareness training
As with the AUP, Security Awareness Training should also be mandated by BEC policy as a key part of the onboarding process. However, the policy should also stipulate that employees should be trained regularly while working for the company. As cybercriminals' tactics continue to evolve, businesses should review and update them at least every four to six months. Businesses can consider tools that can help automate these training sessions.
The Security Awareness Training update not only provides valuable alerts on security threats and intensive instruction on how to identify different stages of BEC attacks, but also provides an important learning place for employees to understand how these attack techniques have changed since the last training. "Businesses need to regularly update employees on evolving BEC threats and policies through security awareness training programs, and simulation testing and other audits need to be part of these regular updates," said D**id Derigiotis, Chief Insurance Officer at Embroker's Business and Cyber Insurer. ”
3. Mandatory BEC Specific Incident Response Plan
Corporate boards and CEOs should require CISOs to include procedures for BEC in their incident response (IR) plans, and companies should have policies requiring security teams to regularly update these IR plans and test their effectiveness. Legal experts are involved in all phases of the incident response, and the legal department should be particularly involved in internal and external stakeholder communication to ensure that the company does not increase its legal liability in the event of a BEC attack.
Reiko Fe**er, Partner at Culahne Meadows, said: "Any breach can entail legal liability, so it's best to discuss it before the breach and plan ahead as much as possible. ”
FE**er recommends that the BEC policy document provide for the legal department to be part of the threat modeling team to analyze the potential impact of different types of BEC attacks in order to incorporate legal professional perspectives into the response plan. "In addition, leaked or exposed information about business partners, customers, personnel, etc., including confidential information, may have legal consequences, which should also be considered when developing an IRP and actually responding to actual violations," she said. ”
FourthRules prohibiting the sharing of corporate charts and other operational details
BEC scammers often use their knowledge of an organization's inner workings to target specific employees with account takeover attacks, make credible requests to victims, or devise very convincing social engineering methods.
Stephen Spadaccini, CTO and Chief Product Officer at Safeguard Cyber, said: "Businesses should remove the org chart and other details from the company**. Job descriptions where hackers may use this information to carry out targeted phishing scams; Avoid posting detailed personal information on social networks that will fall into the hands of those who are ready to implement personalized social engineering**. ”
5. Invoices and Financial Transaction Agreements
The key strategy to prevent BEC from causing huge losses is technology agnostic and focuses on establishing an unbreakable business standard and process for processing invoices and triggering financial transactions.
"This means applying defense-in-depth to business practices across the enterprise, not just cybersecurity," said Chris Reffkin, CISO, Fortra. For example, if you receive a request to change your payment information via email, what is the response of the business process? ”
Ideally, these policies should require that all payments be traced back to an approved invoice with a verified payee name, address, and payment instructions. Roger Grimes, defense expert at Knowbe4, advises: "Any request for provisional payment must be formally reviewed before the payment is issued. Require all payment instruction changes to be verified using a legal channel before approval. ”
It is important to note that strong policies can eliminate the sense of urgency and fear that attackers exert on employees (social worker attacks), especially when attackers impersonate executives or superiors to make unusual requests. A strong policy protects employees who are "disobedient" and strictly follow the rules.
6. Out-of-band verification of high-risk changes and transactions
For invoicing and financial transaction policies, businesses should pay particular attention to how they verify and approve high-risk transactions and changes to financial accounts. Igor Volovich, Vice President of Compliance Strategy at Qmulos, said: "It is critical to implement a rigorous process for verifying financial transactions and data requests. This is a key defense against BEC attacks, ensuring that every request is thoroughly reviewed. Embedding these processes into day-to-day operations can create a strong defense mechanism. ”
An important way for businesses to back up BEC is to ensure that any high-risk events triggered via email are followed up through some sort of out-of-band verification process, which can be **, via a security system, or SMS).
Robin Pugh, CEO of DarkTower, emphasized: "This is one of the most important policies. Never change your payment details based solely on an email request. Whenever payment information or bank information changes are requested via email, a policy should be in place that requires the recipient to always contact the requestor using a trusted *** voice message. Adding a second approver to high-risk transactions also further reduces risk and reduces insider threats, Pugh said.
Troy Gill, senior manager of threat intelligence at OpenText Cybersecurity, warns that attackers can lurk in compromised email boxes, waiting for an opportunity to intervene if a payment campaign takes place. Even if the contact provides legal documents via email, it should be supplemented with out-of-band verification. "In many cases, an attacker will tamper with a previously sent legitimate document to replace the receiving account number with a [attacker-controlled] account," Gill explains. Therefore, it is crucial that all changes are confirmed outside of the email thread. ”
VII. Request for Registration Process
For some organizations, the policy of requiring temporary out-of-band** calls may not be strict enough to reduce BEC risk. Trevor Horwitz, CISOO and founder of TrustNet, explained that one strategy that takes authentication to the next level is to establish an internally secure "request register" through which every request to exchange or change sensitive information will pass through.
Due to the dual threat of spoofed emails from outside and compromised emails from inside, preventing BEC requires a broad strategy. We advocate for a novel strategy inspired by "active payments" fraud prevention in the financial services sector. Horowitz said. "This policy requires active verification with assisted methods for all sensitive information exchanges and changes, including payee, bank information, accounts receivable, and employee data. The mechanism includes an internally secure "request register" that ensures positive verification prior to any information exchange or modification. ”
With this policy and methodology, every sensitive request is registered in a centralized system and then approved through a second factor, whether it's a one-time password (OTP), or a hardware security key (e.g., FIDO2). "Users are trained to validate sensitive requests through this register before leaking information or making changes," Horowitz told the CSO. ”
8. Open reporting mechanism
Policies, cultures, and processes need to focus on open reporting that makes it easy for employees to report unusual requests without fear of punishment for misjudgment. "It's important to make sure employees aren't afraid to report suspicious incidents," Fe**er said. The sooner it is reported, the easier it is to resolve, but scared employees may be reluctant to admit mistakes. ”
Businesses need to establish documented procedures and mechanisms for reporting suspicious incidents, and try to reward and prevent mistakes rather than punish them. "To increase incentives, I propose to establish a reward system, such as a prize pool or gift card, for people who successfully identify and block BEC attack attempts," Gill said. This will help foster a defensive mindset and a zero trust mindset, and they need to know how to do it securely. ”
Reference Links:
end