How to Stay Ahead of the Latest Business Email Threats
How to Stay Ahead of the Latest Business Email Threats
How to Stay Ahead of the Latest Business Email Threats

How to Stay Ahead of the Latest Business Email Threats

Email remains the most favoured for business communication. But cybercriminals have been relentless. They have honed their tactics to make social engineering tactics more nuanced and personalised.

Phishing continues unabated, but many people have become wise to it, and businesses have fool-proof safeguards. Cyber attackers, in turn, have upped their game and now focus on business email compromise (BEC), a social engineering attack.

In BEC attacks, the attackers send emails to the targeted victims. They use impersonation or compromised email accounts to trick victims into doing their bidding. These attacks leverage trust and familiarity to deceive the recipients.

How BEC attacks work

Threat actors execute BEC in different ways. The easiest way is through email spoofing, which involves impersonating the target company’s domain address. But since email filters now flag such emails with high accuracy, attackers often start with email account compromise (EAC).

EAC is a type of phishing that compromises a legitimate email account.  Attackers identify someone holding an important position, such as the CEO, CFO, or even a vendor. They launch a phishing attack against such targets and, if successful, take over their account. Next, they use these compromised accounts to launch BEC attacks against unsuspected victims. The victims are always employees of the same company and often report to the impersonated superior.

How to thwart BEC attacks

Attackers use innovative methods, such as including a cc or reply to a lookalike domain, with only a minor difference in the email address. They then carry on with future correspondence, including follow-ups from such emails. The original, legitimate email account gets removed from the discussion. Such tactics bypass all normal checks.

The different modes of execution

Scamsters execute BEC in different ways.

In a classic BEC attack, the attacker poses as a senior executive, such as a CEO, CFO, or vendor. They coerce the victim into performing actions that could lead to financial loss or a data breach. For example, they might request a wire transfer or extract sensitive information such as passwords.

Of late, attackers have been deploying invoice scams with increasing frequency. They impersonate external suppliers or vendors and request invoice payment from a new bank account. Such vendor email compromise has seen a huge rise lately since small vendors are easy targets for phishing attacks. Threat actors can take over their attacks more easily than a CEO’s account.

GenAI now enables attackers to create unique and personalised content fast. They can craft personalised content without typos or grammar mistakes. Threat actors now have their own malicious versions of generative AI, such as WormGPT. They can use these tools to launch sophisticated attacks, using the right nuances to deflect suspicion.

The recent BEC attack on LYCON, an Australian cosmetic company, used AI. The attackers impersonated a business development manager who claimed a mid-year audit uncovered irregularities in the recipient’s balance sheet. He followed it up by stating a system crash hindered the retrieval of account statements. The attacker then urged the recipient to send any pending or outstanding invoices and rerouted payments to a new bank account.

How to thwart BEC attacks

BEC attacks exploit human frailty. Since they do not involve malware or technical vulnerabilities, they fall outside the radar of security tools. Only a people-centric defence can detect and prevent these types of attacks.

Take a proactive approach against phishing

Many BEC attacks start with phishing to compromise the sender’s email account. A proactive approach against phishing thwarts most BEC and related business email attacks.

Robust data governance can thwart most phishing attacks. 

Applying the principle of ‘least privilege’ means the victim may be unable to fulfil the attackers’ requests. For instance, if the user account is not authorised to access or request fund transfers, the attack does not execute. Multi-factor authentication reduces the risk of account compromises.

Ensure DMARC protection

DMARC offers the most effective technical protection against email spoofing and related attacks.

BEC scamsters impersonate senior company officials or vendors. They adopt domain spoofing or subscribe to lookalike domains. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email validation system. DMARC checks the sender’s email address against existing authorisation records. If there is no match, DMARC instructs the receiving server to reject the email.

Train users

BEC attacks succeed only when the victims do the attackers’ bidding. Awareness training makes rank-and-file users aware of the potential scam and equips them to deny the attacker’s commands.

Equip employees to identify the tell-tale signs of a compromised email. Encourage them to be suspicious, especially when they see something unusual. Train them to ask probing questions, such as “Why would the CEO ask me to do this?” or “Why is the supplier not submitting the invoice through the regular channel?”

Promote a work culture where employees ask for clarification. Encourage them to forward suspicious emails to IT or check with a relevant colleague. Double-checking out-of-routine requests alone will eliminate almost all BEC scams.

Develop systems and procedures

Institute robust procedures for money transfers, invoice submission, and other critical processes. Most enterprises already have such processes in place. Safeguarding against BEC-type threats requires strengthening such systems and eliminating any loose ends. If any request comes outside the system, the user who has to act can reject it outright.

Developing robust systems also ensures employees can resist pressure. Attackers may use sneaky methods to create a sense of urgency or assert authority to force their way. 

Many employees succumb to such pressure or voices of authority. Scamsters may likewise time their campaigns around busy periods. For instance, if an HR manager or an accounts executive is busy with many things, they may not reflect on whether a particular request is odd or suspect.

State-of-the-art platforms such as Proofpoint offer a multi-layered approach to thwart email threats. The platform applies machine learning to detect various tell-tale threat indicators. It can identify

  • Language patterns, such as the tone of the email, to validate if it uses financial language used by the enterprise.
  • Discrepancies between the display name and the personalised sender email.
  • If the sender has sent mail to this recipient before.

Automated responses deliver instant results, nipping any attacks in the bud.

Nearly three out of four data breaches rely on exploiting the human element. 

Proofpoint’s human-centric cybersecurity halts business email attacks in their tracks, so enterprise users can email without having to watch their backs or worry about impending doom.

Tags:
Email
Twitter
LinkedIn
Skype
XING
Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.
Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.