Peak vacation season Business Email Compromise caution from BSI
The cybersecurity and information resilience team at BSI is advising organisations to remain alert to an increase in Business Email Compromise (BEC) attacks during the peak vacation season. A recent report revealed that almost half of organisations have at least one compromised account, stressing the importance for organisations to have proper email security governance and controls in place.
It is estimated that between 2016 and 2019, BEC attacks equated to financial losses of $26.8bn internationally. In the US, the FBI anticipates a rise in Business Email Compromise schemes related to the Covid-19 Pandemic. With 96% of data breaches starting with an email, this highlights the need for organisations to implement robust email security solutions that can detect and stop email threats to maintain their information resilience.
Stephen Bowes, global practice director for information and security technologies at BSI, explains: “Many organisations are in a vulnerable position as remote working continues and annual leave peaks. Attackers are using this opportunity to try and impersonate an employee’s colleague or senior executive to gain sensitive company information. With email phishing, an attacker relies heavily on social engineering tactics to identify HVTs (High Value Targets) and they can be anyone in an organisation, from the accountant, or HR executive, to a high-profile individual such as the CEO. The current threat landscape shows that cyber criminals are targeting individuals, not infrastructure, making it vital for organisations to take a people-centric approach right now.”
“Working with our clients and analysing both the industry and recent incidents, securing your email is one of, if not the single most important step, that organisations need to consider. Doing so will mitigate most inbound attacks and reduce an organisations surface attack area. I would also encourage businesses to implement an awareness and training program so that users can learn to spot and report malicious emails.”
The increase in social engineering means that everyone needs to be mindful of what is posted on social media too. The recent Twitter hack is a prime example of how compromised accounts can be used for financial gain. Joe Pierini, head of testing for the US warns, “This time it was for bitcoins, but the next attack could be to influence a stock price or even an election.”