Business Email Compromise (BEC) is a risk on the rise, where a cybercriminal impersonates an executive or vendor and tricks employees into sending funds or divulging confidential information.
1. BEC strategies take advantage of the confidence of the targeted individual instead of utilizing weak points in technology
2. BEC can target everyone from small businesses to global enterprises
3. The damage done can result in heavy financial loss, loss of reputation and regulatory penalties.
For executives, board of director members and senior management BEC is not just an IT problem; it poses a significant business risk.
The Real-World Effect of BEC
The examples below illustrate how widespread BEC is, and what the outcome can be.
1. Toyota Boshoku (2021): Approximately $37 million was stolen as a direct result of BEC when emails, from a fake vendor, requested funds to be wired
2. Ubiquiti Networks (2015): $46.7 million was taken from a company by fraudulently using emails from a BEC, impersonating the CEO
3. FACC (Austrian Aerospace Company, 2016): Approximately $50 million loss due to BEC via fake executive emails
4. Smaller businesses often suffer significant losses of tens of thousands of dollars, proving there is no business that is immune.
The above examples demonstrate the importance of taking preventative steps against BEC.
BEC Simulations
BEC simulations are exercises that allow companies to train employees to recognize and handle BEC attempts as if they were real. These simulations are conducted in a controlled manner to provide employees with the right skills to:
1. Identify suspicious email requests
2. Verify any email request before taking action
3. Immediately report any BEC incidents to the security team.
We can think of BEC simulations as an email version of a fire drill; the intent is to increase employee awareness and prepare them for handling BEC attempts.
Why Should Executives Care About Business Email Compromise?
1. Financial protection; Early discovery of BEC can protect businesses from large dollar losses from wire transfer frauds.
2. Reputational protection; A demonstration to customers that you are protecting their trust and to shareholders that you are protecting their investments.
3. Regulatory compliance; Being available for customers when they have an issue shows that you are proactively managing and mitigating risk.
4. Culture of security; Creates a culture within your organization to be aware and alert to potential attacks on your people and your business.
Tools to Simulate Business Email Compromise and Create Business Email Compromise Preparedness
To create effective, measurable, and secure simulations, you must be using the right tools:
1. KnowBe4: Gives you the ability to create realistic BEC and phishing simulation campaigns. Provides you with reporting dashboards to track the results of your campaigns.
2. Cofense PhishMe: Provides targeted BEC simulation programmes that enable you to check your employees' readiness against BEC attacks.
3. Barracuda PhishLine: Custom BEC simulation campaigns with long-term performance tracking.
4. Microsoft Defender for Office 365 provides built-in business email compromise (BEC) simulation and phishing simulation capabilities.
Free Resources Available
1. FTC Business Guidance: Offers tips on detecting fraud and reporting suspicious emails.
2. StaySafeOnline.org: Provides employee resources for awareness of email scams.
Here are the steps to executing effective simulation programs:
1. Know the reason for your simulation program and what you hope to accomplish.
2. Find a simulation solution that best fits your needs (consulting organization) or a reputable cyber security simulation platform (cloud provider).
3. Before scaling up to all departments of the organization, conduct one small scale pilot exercise. (A smaller departmental scale allows for a controlled approach to gaining employee feedback, collecting data, and analyzing employee reactions.) This information can then be utilized to refine future employee training manuals as well as develop a comprehensive organizational training plan.
4. After completing simulations and gathering data, conduct a thorough analysis of employee reactions to established parameters for success.
5. Provide personnel with training/education on recognizing potential social engineering and phishing attacks and provide them with resources to support their proper responses.
6. To effectively keep pace with the evolution of cyber criminal strategies, regularly conduct on-going simulations.
Summary:
1. Business email compromise (BEC) is a type of phishing attack where a human perpetrates the attack through a legitimate email.
2. By doing this type of simulation, you will help create an environment for employees to detect and report suspicious emails.
3. Tools like Microsoft's Microsoft Defender, KnowBe4, and Cofense can help you measure your overall readiness levels for business email compromise.
4. Continual testing and feedback as well as ongoing employee awareness programs are the best way to reduce the risk of BEC and demonstrate good governance of phishing attacks.
