Business email compromise (BEC) and email account compromise (EAC) are high priority threats for organizations worldwide—and for good reason. According to the FBI’s Internet Crime Complaint Center’s just-released 2019 Internet Crime Report, Americans (both individual and business victims) lost more than $3.5 billion overall to internet-enabled crimes and scams in the last year. That’s a nearly 30% increase over 2018’s $2.7 billion in losses and the highest annual figure ever reported by the center. And almost half of that was due to BEC.
In 2019, BEC and EAC alone resulted in more than $1.7 billion in reported losses underscoring that email is the preferred channel for attackers and there has never been a more critical time to pay attention to these people-centric attacks.
Why Are BEC and EAC Attacks So Successful?
One truism links the most lucrative cyberattacks: nearly all target people. These days, the big money is not in hacking networks, but in exploiting trust. The trust employees have in each other, with their suppliers and business partners, in digital communication channels, and the trust brands have acquired over the years. Once lost, that trust is almost impossible to fully regain. For this reason, it’s crucial that companies stay on top of today’s formidable threat landscape. Let’s take a closer look some of the biggest offenders.
Business Email Compromise (BEC) refers to cybercriminals impersonating trusted people over email to gain access to company networks or convince an employee to wire funds and/or transfer sensitive data. To the average employee, these “trusted people” often take the form of the boss, CEO, HR executive, supplier or anyone else with the authority to access sensitive information and request payments. BEC complaints surrounding diversion of payroll funds increased in 2019, according to this most recent FBI report.
Email Account Compromise (EAC) plays on the same trust principle; however, EAC attackers compromise a victim’s email account and often send convincing emails cloaked as a real employee to orchestrate significant potential financial harm and data loss. With full access to the victim’s cloud account, these attackers profile their victims by monitoring email, track meetings with suppliers or customers, and access the corporate directory and files in file shares. When the time is right, the attackers send a fraudulent email requesting a wire transfer or sensitive data. Compromised accounts can go undetected for weeks or months, and attackers also often move laterally throughout the organization to conduct additional attacks that appear highly credible.
How to Protect Your Organization
Because BEC and EAC attacks target specific individuals as opposed to company networks, we recommend organizations prioritize a people-centric approach to security that protects all parties (their employees, customers, and business partners) against phishing, email fraud, and credential theft.
Advanced email protection. EAC attacks often start with phishing or malware designed to steal account credentials. BEC attacks, on the other hand, are malware-free, meaning there is no malicious attachment or link to detect. To effectively protect against BEC and EAC attacks, you need an email gateway that stops malware and non-malware threats. Detecting BEC or impostor attacks requires detailed, dynamic analysis of the content and context of all incoming emails to spot signs of fraud. This dynamic impostor classifier analyzes several factors including the sender’s reputation, email relationship history, email content, whether the display name matches the sending address (display-name spoofing) and more. Once message is classified, you can decide how to manage it – let it through, block it, or quarantine it.
Email authentication. Domain spoofing and lookalike domains are also common tactics used in BEC and EAC attacks. The best way to prevent attackers from hijacking your domain to send fraudulent emails to your employees, partners, and customers is implementing a global email authentication standard like DMARC. DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” and gives you visibility and control over who is authorized to send email on your behalf. This identity verification layer can block all attempts to send unauthorized emails from your trusted domains, commonly known as domain spoofing. It can also provide monitoring and reporting on lookalike domain registrations.
Cloud security. Defending against BEC and EAC attacks requires controls across email and cloud applications. To prevent your people from sharing credentials on phishing sites, you need email protection that predictively sandboxes and blocks credential phishing links, isolates URL clicks based on the riskiness of the URL or the user, and provides visibility into the people most targeted with credential phishing. You also need to identify potential cloud account compromise by detecting brute-force attacks, identifying suspicious cloud account activity, and automating remediation of compromised accounts with forced password resets or requiring re-authentication.
Security awareness and training. Because BEC and EAC attacks use social engineering to target people, it’s critical to train your people to identify these attacks. Afterall, people are not only the last line of defense, but also your most important line of defense. Assess end-user vulnerability to impostor and credential phishing attacks using real-world threats and attack techniques. From there you can track who is responding to these simulated attacks, how they’re responding and train them accordingly. Give your people the knowledge and skills they need to protect your organization against these advanced attacks.
To learn more about how to protect people against BEC and EAC attacks, watch our How to Solve the $26 Billion Problem of BEC and EAC webinar. For more information on defending against identity deception tactics used in BEC attacks, be sure to read our Guide to Stopping Email Fraud. And for more information on Proofpoint’s email security solutions, please visit: https://www.proofpoint.com/us/products/email-protection/email-security-and-protection.