Business Email Compromise (BEC) is one of those cybercrimes that can be embarrassing to talk about.
Because instead of some "random" employee getting phished, the victim of BEC is most often an executive or key member of the team. Someone who is smart and has authority... and got duped.
I just finished listening to our SecureWorld web conference on this topic, and wow, it was loaded with insightful and relevant information.
Proof the BEC threat is real and growing
Cyber lawyer Aravind Swaminathan is global co-chair of Orrick LLP's Cybersecurity & Data Privacy team. He shared insights that frame how crafty BEC attackers have become. And he proved that the risk of this type of spear-phishing attack is real.
“A client of ours had a brand new controller join the company. Within a week or two of getting there the controller began to get emails from who they thought was the CEO, about a confidential deal being worked on.”
The "CEO," who was really a bad actor, told this new controller it was great to have them on the team, that the company needed someone with that skill set, and that the CEO would soon be needing a series of transfers to get the confidential deal rolling.
"Over a course of time, the new controller wired out nearly $20 million to an account in Asia."
It's likely the bad actor did a few minutes of research on social media and saw this person was at a new company in a key role.
As I said, he painted quite a picture (and this was just a small part) that the risk of BEC is real and the costs are growing.
And BEC is no longer just about getting tricked into transferring money.
Swaminathan pointed to a new trend: class action lawsuits where employees sue their own company because phishing or BEC resulted in employee PII—often W-2s—getting stolen.
Know your attacker—who is behind BEC?
“Hackers are human beings, so although there may be many paths to get in, they’ll likely take the easiest way,” says Information Security Consultant Roy Wattanasin of NOC, LLC. And employees are often that path.
See more, on demand.
In the second part of the SecureWorld web conference, Wattanasin took a broad look at attackers and the steps they typically institute in an attack.
How do you mitigate BEC and phishing?
“You need to arm your users for battle, and a battle is what it is,” says KnowBe4's Erich Kron. He's been in InfoSec for 18 years.
“It takes a lot of effort to get past perimeters now, so attackers are really focusing on your employees to get the best ROI.”
He also says if you're going to create or enhance a security awareness program, you really should consider what he calls the "magic wand approach."
"If you could wave a magic wand and change three security behaviors among your organization's employees, what would they be?"
That will help clarify what you want to achieve. However, he says you must put this up against something crucial: your company culture and what it will tolerate.
We don't have time to go into all the best practices Kron shared or how to quantify your security awareness goals (which he talked about), but we liked this chart he showed about the difference KnowBe4 has tracked among its own customers.
“When you drop the phishing click rate from 27% to 2%, that is really powerful,” Kron says.
Indeed it is.
For all kinds of insights on the problem of BEC, knowing your attacker, and mitigation best practices, watch this SecureWorld web conference on demand.
