Increase in Business Email Compromise (BEC) Attacks Prompts New Guidance from National Cyber Security Centre

Increase in Business Email Compromise (BEC) Attacks Prompts New Guidance from National Cyber Security Centre

The sophistication of Business Email Compromise (BEC) attacks means that cybercriminals are gaining access to more sensitive data, necessitating stronger defenses from businesses.

In response, the National Cyber Security Centre (NCSC) has recently issued new guidance for businesses on the threat posed by BEC attacks. These sophisticated attacks have seen significant success in recent months, highlighting the need for businesses to be better prepared to counter the threat.

BEC is a form of phishing, but unlike most phishing attacks that are general and broad, BEC attacks are tailored to individuals within organizations and are extremely convincing. While general phishing attacks use a scattergun approach, sending millions of emails in the hope that a few unassuming individuals will open them, BEC attacks require much more investment from cybercriminals. They tend to target “big fish,” often senior executives or employees with access to particularly valuable data.

The NCSC’s new guidance encourages firms to reduce their digital footprints by limiting the amount of publicly available information about senior executives. It also recommends training staff to identify BEC attempts, setting up two-step verification processes, restricting the number of employees who can make significant payments without further authorization, and planning for the worst by preparing to respond robustly to a successful BEC attack.

Whilst this guidance is useful, it also adds to the workload and budget expenditure of IT and security teams, which are already overcome by the burdens of increased threats and reduced budgets, as AJ Thompson, CCO at Northdoor plc, explains.

“In the face of an increasingly sophisticated threat, this new guidance from the NCSC makes complete sense. Businesses must be aware of what this threat now looks like, and employees need to be educated.

“Variations of BEC have been grabbing the headlines. We recently saw cybercriminals successfully get their hands on £20m after an employee at Arup was duped by a digitally recreated version of the company’s CFO via a video conference. This level of sophistication is rare but does highlight the level of investment that cybercriminals are willing to invest to get huge pay-offs.

“The more common approach is for an email from a senior executive. Everything about it will look authentic, but a request for a money transfer or access to data will be made somewhere in the conversation. If convinced, the employee will do as their ‘senior manager’ has asked of them and be none the wiser until the money is missed or the data leaked.

“Much of the advice from the NCSC is common sense. Reducing the amount of information about senior executives available online makes the job of making a convincing replica all the more difficult. Two-step verification also adds complexity for cybercriminals and reduces the number of employees who can make large payments.

“The most critical piece of guidance, though, is the education of team members. After all, employees are targeted by BEC, so ensuring that they understand what a potential BEC attack looks like and how to effectively deal with anything suspicious immediately nulls the threat.

“However, much of this guidance, whilst important, is simply adding to the already substantial workload of IT and security teams. This is also often in the shadow of reducing budgets. It is clear that BEC now represents a real threat to businesses but without the adequate resources to counter it, businesses are stuck. Some are turning to consultancies that can offer the expertise that might be lacking internally, as well as the assurance that threats will be dealt with, staff educated and a worst-case scenario business continuity plan. Taking the onus off already stretched internal teams is a good way of ensuring BEC attacks do not slip through the gaps whilst empowering staff to identify and deal with potential threats,” Thompson concluded.