How organizations combat business email compromise

Criminals often tailor their BEC scams to the organization and individuals they target by adding highly specific details based on internet research. However, most scams fall into these broad categories:

 

Invoice and payment scams. The criminal impersonates a vendor or customer and requests payment on an outstanding invoice or that future payments be sent to a new account. The email may contain a malicious link or attachment that can direct the recipient to a phishing site or download dangerous malware.

 

Urgent request from a supervisor. An employee receives an email appearing to be from their supervisor or a top executive, requesting they immediately send a gift or payment to a recipient. In some cases, the criminal may first request switching over to texting or even video conferencing before they make the request. They may then deploy AI to generate text or video feeds to make the interaction even more convincing.

 

Whaling. This is a campaign that targets a specific, high-level executive for financial gain, data theft, or to inflict reputational damage on the person or company. Many begin via BEC tactics.

 

Data requests/theft. The scammers may request personally identifiable information (PII) belonging to employees or customers, which they use to conduct subsequent financial scams that target those individuals.

 

Commodities requests/theft. Scammers pose as purchasing departments for established vendors, make large purchases on credit and arrange for shipment of goods that are never paid for.

 

Whatever the method, the criminals count on an email recipient being fooled or not noticing that there is something unusual about the origin of the email or recipient. This is the point where the social engineering — or coercion — begins. 

As with every type of cybercrime, there is no absolute defense against BEC. But a combination of tools, enforced policies and employee engagement can minimize the risks. Specific defenses can include:

 

Investing in email filters. Sophisticated BEC attempts can evade even the best security tools, especially since generative AI has enabled scammers to produce more convincing and error-free text. However, email scanners and filters can sometimes detect mail from spoofed accounts and flag anomalous communications for independent review.

 

Deploying and maintaining strong identity access and account privilege management. Identity and access management (IAM) and privileged access management (PAM) are methods that make it more difficult for unauthorized users to exploit stolen credentials to initiate BEC attempts. Used in conjunction with multifactor authentication (MFA) or biometrics, these protections can be effective assuming organizations don’t set and forget them. Review and enforcement of these policies is critical.

 

Redundant payment approvals. Anomalous requests or changes to payment information should require extra layers of review and approval.

 

Employee training and awareness. Any successful BEC attempt depends on eluding controls or deceiving an employee. Organizations should regularly train all employees (especially key employees such as those responsible for accounts payable and receivables) and make awareness of BEC and cyberthreats a part of company culture.

 

BEC is likely to persist in a business environment that depends on speed, convenience, and friction-free transactions between vendors and customers and partner organization. A key to a strong defense is encouraging every employee to slow down processes when they detect anything unusual about an email communication. “Trust but verify” is still advice that supports strong cybersecurity fundamentals and good business outcomes.