The Rise of Business Email Compromise Demands a New Approach to Securing Email

CIOdive.com recently published a guest article by Gartner that draws on analyst insights from Gartner’s “Top 10 Security Projects for 2019.” Half of the projects listed are new (enterprise adoption at less than 50%) or modified projects from last year.

When setting the technology strategy for an organization, Chief Information Officers (CIOs)—who don’t have a Chief Information Security Officer (CISO) counterpart—need to consider their strategic initiatives against the backdrop of a constant stream of emerging threat vectors and bad actors. It’s in this context that annual lists by industry analysts such as Gartner can be helpful. While of course such lists need to be considered through the individualized lens of a given company’s risk profile and tolerance, Gartner’s annual “Top 10 Security Projects for 2019” can help CIOs focus on security initiatives that will mitigate the most risk and have the biggest business impact.

This year, Gartner says that organizations who struggle with phishing attacks and poorly defined business processes could benefit from a business email compromise (BEC) project. To round off this recommendation, protecting against today’s sophisticated email threats like BEC demands a more comprehensive approach to email security. With concerted efforts to tackle the problem from different angles—automated detection, defined business processes, and active user engagement—combatting BEC is manageable.

BEC attacks are a dangerous combination of low-tech tools and high-quality skills

The most damaging type of phishing attack is business email compromise. BEC attacks come in many different forms: While some are built on account hijacking and credential theft, with scammers taking control of key accounts to impersonate CEOs, attorneys, business partners, etc., many don’t require any hacking. From a security standpoint, the most complex type of BEC relies on the social engineering of key employees to trick them into wiring funds or sharing confidential information.

The right mix of filtering, blacklisting, and email validation like DKIM and SPF can stop most volumetric phishing attempts, but BEC attacks are typically much more targeted and therefore difficult to identify. They’re so successful (and dangerous) because they’re designed to trick employees into forgetting basic security precautions and break down psychological defenses. BEC scams aka “CEO fraud” or “door-knock” attacks are more versatile and adaptive than the more traditional phishing or malware-based scams. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the scammers trick the victim into doing that for them.

The FBI reported a 136% increase in losses related to BEC, which now account for more than $12.5 billion in losses globally.

Go beyond malware

Regardless of the methods used, BEC attacks present a unique challenge for organizations and the security firms they rely on to protect them. Historically, email security has focused on perimeter defense, flagging nuisance spam messages that clog inboxes and blocking malicious software sent as email attachments. BEC attacks typically don’t rely on malicious attachments; their content is usually familiar, conversational not the kind of language that can easily be flagged without also generating a huge number of false positives.

To stand a chance against the most prevalent threats targeting employees’ inboxes today, we must transform the way we approach email security by combining technology, business processes, and individual users. If we approach securing email with a layered solution that encompasses:

  • detection capabilities, while also promoting adherence to business processes designed to mitigate risk,
  • incident response tools and procedures that minimize the impact of the threats that are guaranteed to make it past initial screening,
  • And finally involving individual users and empowering everyone to act from the front lines.

People are not the weakest link. Investing in a BEC project that examines perimeter technical controls and ensures a better understanding of process breakdowns is vital, but if you don’t also include regular employee engagement into the mix—your project is doomed to fail. Educating employees so that they are less likely to fall victim to these scams won’t protect against all social engineering attacks, but it will help.

Next steps

Here are several things security teams, and you, can do now (if you haven’t already) to help protect against BEC and other phishing attempts:

  • Set up SPF and DKIM to ensure that all your (valid) mail is at least being signed properly.
  • Implement strong authentication and DMARC across all the domains you own, blocking direct spoofing.
  • Be wary of irregular emails that are sent from the board or C-level executives, as they are used to trick employees into acting with urgency. Review all emails that request transfer of funds to determine if the requests are irregular.
  • Adopt a different mindset when it comes to your employees. Users are not the weakest link. Turn your employees into security assets by re-enforcing security hygiene.
  • Go beyond security awareness training and research security solutions that provide employees with digestible insight into every email to provide stop-light visibility into sender’s trustworthiness and evaluate the risk of embedded link within an email.
  • Provide a simple procedure for employees to report a phishing attack to IT or the security team.

Changing our mindset to recognize email security as a layered approach, rather than a point-in-time gateway, will allow us to limit risk exposure. Some attacks will inevitably break through the perimeter of our inboxes, but if we arm end users with contextual security awareness training everyone can become an integral part of keeping our organizations secure from phishing scams.

GreatHorn’s cloud-native, email security platform protects Microsoft 365 and Google Workspace customers from both traditional malware threats and the sophisticated phishing attempts like business email compromise. In one Fortune 500 company, we identified more than 50,000 threats (BEC, credential theft attacks, malicious links, and more) that were missed by both a traditional secure email gateways and Microsoft ATP. In addition to preventing threats from reaching users, we also protect threats at every other vulnerability point giving users context to help them make better decisions, warning against suspicious links, and enabling admins to bulk remove malicious emails from user inboxes.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.