Rise in business email compromise attacks sees National Cyber Security Centre issue new guidance
The sophistication of BEC attacks means that cybercriminals are gaining access to more sensitive data, and businesses have to up their defences.
The National Cyber Security Centre (NCSC) has recently issued new guidance for businesses on the threat from BEC attacks. The sophistication of BEC attacks means that they have had a huge amount of success over recent months, and businesses must be better prepared to counter the threat.
BEC is a form of phishing, but whereas most phishing attacks are general and broad, BECs are tailored to individuals within organisations and are extremely convincing. More general phishing attacks rely on a scattergun approach, sending millions of emails, hoping unassuming individuals open a few. However, BEC requires a lot more investment from cybercriminals and tends to target ‘big fish’, often senior executives or employees with access to particularly valuable data.
The NCSC’s new guidance encourages firms to reduce their digital footprints (reducing the amount of information about senior executives available publicly), train staff to identify such attempts, set up two-step verification processes, restrict the number of employees that can make significant payments without further authorisation, and plan for the worst, including how to be robust in the face of a successful BEC attack.
Whilst this guidance is useful, it also adds to the workload and budget expenditure of IT and security teams, which are already overcome by the burdens of increased threats and reduced budgets, as AJ Thompson, CCO at Northdoor plc, explains.
“In the face of an increasingly sophisticated threat, this new guidance from the NCSC makes complete sense. Businesses must be aware of what this threat now looks like, and employees need to be educated.
“Variations of BEC have been grabbing the headlines. We recently saw cybercriminals successfully get their hands on £20m after an employee at Arup was duped by a digitally recreated version of the company’s CFO via a video conference. This level of sophistication is rare but does highlight the level of investment that cybercriminals are willing to invest to get huge pay-offs.
“The more common approach is for an email from a senior executive. Everything about it will look authentic, but a request for a money transfer or access to data will be made somewhere in the conversation. If convinced, the employee will do as their ‘senior manager’ has asked of them and be none the wiser until the money is missed or the data leaked.
“Much of the advice from the NCSC is common sense. Reducing the amount of information about senior executives available online makes the job of making a convincing replica all the more difficult. Two-step verification also adds complexity for cybercriminals and reduces the number of employees who can make large payments.
“The most critical piece of guidance, though, is the education of team members. After all, employees are targeted by BEC, so ensuring that they understand what a potential BEC attack looks like and how to effectively deal with anything suspicious immediately nulls the threat.
“However, much of this guidance, whilst important, is simply adding to the already substantial workload of IT and security teams. This is also often in the shadow of reducing budgets. It is clear that BEC now represents a real threat to businesses but without the adequate resources to counter it, businesses are stuck. Some are turning to consultancies that can offer the expertise that might be lacking internally, as well as the assurance that threats will be dealt with, staff educated and a worst-case scenario business continuity plan. Taking the onus off already stretched internal teams is a good way of ensuring BEC attacks do not slip through the gaps whilst empowering staff to identify and deal with potential threats,” Thompson concluded.