What this graph reveals is that, between the two countries, from 2019 to 2021 they only managed to avoid an average of 21% of BEC incidents. “While the attacks of ransomware get the most attention, BEC attacks are quietly one of the biggest drivers of financial loss for companies,” Narang said.
Social engineering is one of the main ways in which attackers exploit their victims, although they can also use some malware to infect the organization.
Mario Cinco, architect of Kyndril managed cybersecurity services, explained: “Statistics indicate that there will always be times when the business changes its processes, technology, acquisitions, or even fiscal year closings, holidays or other events that an attacker can take advantage of. to design messages that are easily seen as authentic and can gain information such as passwords or victim access to malicious sites and files contaminated with malware.
The main victims of BEC crimes
“These victims are companies of all sizes. For attackers, it’s about casting a wide enough net,” Narang shares. Attackers are always looking to compromise personnel who add more value to them in a short time and with less effort.
Cinco shared that attack campaigns of this type are carefully prepared and especially directed at personnel who are in charge of more valuable information assets, such as the financial part, databases, or information technologies.
“There are variants where it is sought to compromise the personnel that is closely related to the previous roles, such as management assistants, technical support or even relatives or friends of the victim so that later, through these compromised accounts. they can carry out a more precise attack and greater chances of success to the most valuable accounts of the organization ”, he complements.
How to avoid BEC attacks
“Effectiveness lies in asking where the organization’s most valuable information is located, what personnel and systems have access to it, what user accounts they use and what privileges they have, complemented by the degree of exposure to certain types of attacks,” he says. Five.
With the above, it can be validated that the implemented controls are robust enough to detect and stop attacks, such as valid email message detection and authentication technologies, staff training to rule out communications from false sources, validating the authenticity of messages, look for critical points that indicate that it is a false message, what type of communications would be sent by email and what are the activities that they should never carry out despite the request of executive or support personnel.
On the other hand, Narang complements that one of the main points of vulnerability is the urgency factor to help apply additional pressure on the victim. “If the CEO says a transfer is urgently needed to close a deal, that can force the victim to ignore some of the more obvious red flags.”
For this reason, training employees to detect and flag possible BEC attacks could be the first layer of defense.
Ultimately, Narang also recommends that organizations should put some sort of process in place to act as a barrier, especially when money is involved. Thus, if there were to be an urgent transfer request, it would have to be reviewed and approved by key stakeholders and a more direct line of communication established with the requesting party, be it a senior member such as the CEO or with a external provider.
Another tip is to use security software. For example, an antivirus and a secure email gateway, or secure gateway for email protection. The cybersecurity company Proofpoint defines them as a device or software that is used to monitor sent and received emails and establish corporate email security policies. They are designed to prevent spam and send the right and authorized emails.
