Protect your business from sophisticated Business Email Compromise (BEC) attacks

Understanding Business Email Compromise (BEC)

Business Email Compromise (BEC) is a targeted phishing attack aimed at specific individuals within organisations. Unlike broad phishing attempts, BEC focuses on high-value targets, such as senior executives or employees with access to sensitive data. Cybercriminals invest considerable effort in crafting convincing emails, making these attacks particularly dangerous.

The growing threat of BEC attacks

BEC attacks are becoming increasingly sophisticated. A recent incident involved a cybercriminal using a digitally recreated video of a CFO to trick an Arup employee into transferring £20 million. This case underscores the severe risks and evolving nature of BEC threats.

NCSC’s new guidance on Business Email Compromise (BEC)

The National Cyber Security Centre (NCSC) has issued new recommendations to help businesses combat BEC attacks:

• Reduce digital footprints: Limit the amount of public information available about senior executives to make it harder for cybercriminals to create convincing impersonations.
• Employee training: Educate staff to identify and handle BEC attempts, reducing the risk of successful attacks.
• Two-step verification: Implement two-step verification processes to add an extra layer of security.
• Restrict payment authorisations: Limit the number of employees who can authorize significant payments without additional checks.
• Prepare for the worst: Develop robust response plans for successful BEC attacks to ensure business continuity.

Challenges for IT and security teams

Implementing NCSC’s guidance is crucial but can strain already stretched IT and security teams. Businesses need to balance enhanced defences with the reality of limited budgets and resources.

The importance of employee education

Educating employees is vital since BEC attacks target staff. Training helps them recognise and respond to suspicious activities, significantly reducing the threat. Employees should understand BEC attacks and how to act promptly.

Understanding impersonation scams

Impersonation scams, a subset of BEC, involve criminals posing as trusted companies to steal sensitive information and money. Scammers may pretend to be third-party suppliers, utility companies, emergency services, or even your bank, using various tactics to deceive their targets.

How to stay safe from BEC and impersonation scams

1.     Stay calm: Scammers often create urgency. Assess the situation carefully.
2.     Verify contacts: Contact companies through official channels to ensure legitimacy.
3.     Know your company’s policies: Understand how your organisation and bank communicate.
4.     Use secure connections: Avoid public WiFi and use company VPNs.
5.     Avoid remote access requests: Never grant remote access to your devices.
6.     Trust your instincts: Stop interacting if something feels off.

The widespread impact of BEC and scams

Business Email Compromise and related scams affected over 19 million people in the UK last year. Victims lost an average of £1,700. These attacks can target anyone, regardless of age, education, or background.

Leveraging external expertise

Given the growing threat of BEC attacks, some businesses turn to consultancies for additional support. At Northdoor, expert consultants provide resources to manage BEC threats, educate staff, and ensure business continuity plans are in place. This approach helps alleviate the burden on internal teams and ensures comprehensive protection.

Conclusion

Business Email Compromise poses a significant threat to organisations of all sizes. By implementing strong security measures, educating employees, and staying vigilant, businesses can protect themselves from these sophisticated attacks. Remember, when it comes to BEC, prevention and preparedness are key to safeguarding your organisation’s assets and reputation.