The Rise of Business Email Compromise in Financial Services

By Andy Downs – andy.downs@ka2.io

The threat of Business Email Compromise (BEC) is a real and growing concern among financial services firms. One study suggests that BEC attacks on this industry have grown at an alarming 60% rate over a one-year period. Such attacks are not cheap, either. The average BEC sum that attackers seek via a wire transfer has risen to roughly £63,000 per attack (up from about £40,000 last year). As Satya Nadella stated in his keynote speech at Microsoft Ignite 2020: “Business leaders reported phishing threats as the biggest risk to security since the pandemic started.”

BEC encompasses a range of attacks, including CEO fraud, phishing, spear phishing, and email spoofing. Attacks are also expected to worsen this year as businesses are increasingly vulnerable to exploits amidst new remote work environments brought about by the COVID-19 pandemic.

While the risk of BEC attacks is concerning, you can better protect yourself with information and robust preventative security measures. In this post, I highlight what your organisation needs to know about this growing BEC threat and share several actionable security measures to protect your business this year and beyond.

What is BEC?

Business Email Compromise is a growing and evolving email scam based on the concept of social engineering, in which attackers use manipulation tactics to pose as someone known or trustworthy in an attempt to solicit confidential, sensitive, or financial information. While BEC goes by many names, the technique is largely the same:

• An attacker targets an employee (or multiple employees) with access to company finances.
• The nefarious email will appear to originate from a familiar or trusted source, often a senior executive, the CEO, or another vendor, supplier, or partner. Often, attackers will spend considerable time “grooming” targets and researching a company’s network and accounts, including your billing system, vendors, and even the style with which your CEO communicates.
• Some BEC emails will originate from fake or compromised accounts though these may be similar to your company’s legitimate email addresses. In other cases, the sender’s email may have been compromised and thus the email will appear to come from a known person and address.
• Attackers may request funds in various forms, including gift cards, payroll diversions, wire transfers, and direct bank transfers.
• All of this makes BEC attacks difficult to discern and prevent – that is the goal.
• The overall objective of the BEC attack is to convince the target to submit money to the attacker.

Cybercriminals use a variety of tactics to run BEC scams, but the most common are display-name spoofing and domain spoofing. With display-name spoofing, attackers simply change the name that shows up at the top of the email as the sender. In domain spoofing, attackers send malicious emails that appear to come from an organisation’s trusted domain.

Why is BEC such a threat?

The obvious impact of a BEC attack on your business is financial loss. One report puts the total cost of BEC attacks over the last three years at more than £3.69 billion, and the average amount that attackers seek in these attacks continues to grow. There’s also financial loss as a result of downtime and business disruption following an attack.

Your reputation is also on the line. BEC attacks are often in the news, and customers may lose confidence in your product or service as a result. Especially in the financial services industry, customers expect security not just in the products you offer, but also in how you protect and secure their personal information. A BEC attack can result in significant reputational damage that can be hard to recover from. Other threats and impacts include loss of sensitive or confidential data, recovery costs, and even the potential firing of responsible personnel.

The nature of a BEC attack itself is also a threat. These scams are designed to fool people by leveraging normal human weaknesses; today, we also see them growing and spreading to more targets across a given organisation, making them even more difficult to thwart.

How can you protect your organisation?

BEC scams are basic, but brutal. Protecting your staff, partners, and customers from this growing threat requires a proactive and multi-pronged approach, beginning with your people.

Step one is to educate your first line of defence – your employees. Provide timely resources and examples to help your employees spot these malicious emails. This includes keeping your team informed of the latest BEC tactics and scams. This employee education could take the form of an all-staff training, a mandatory online course, or newsletters and resources from your technology or leadership team.

Another recommended measure is to review and improve your internal business processes. All of them! Review existing procedures such as separation of duties for financial transfers and other transactions; policies around sending sensitive data in bulk to outside entities; and best practices or rules for handling legitimately urgent email requests.

Implementing DMARC email authentication is another way to prevent attackers from hijacking trusted domains for email fraud. DMARC ensures that all emails sent from your domain are legitimate and verified. It’s an effective strategy, evidenced by the more than one million domains that now use DMARC for enhanced email security and protection. In general, the team at KA2 predicts that overall usage of DMARC will continue to accelerate rapidly as BEC scams continue to proliferate. This is especially true amidst COVID-19; one source suggests that attacks involving payment and invoice fraud rose 200% between April and May, 2020.

Other added protections can help to further secure your operations, including implementing multi-factor authentication, disabling outdated email protocols, instituting a “second sign off” policy for any payments made, and monitoring vendor and customer habits.

What next?

Now that you understand the basics of BEC scams and how they work, we hope this post helps you take the necessary steps to protect your organisation from these costly attacks. We also understand that you may have limited time and resources at the moment as you navigate the relentless demands of the changing workspace and customer preferences in 2020. The KA2 Messaging and Security Experts can help you assess and understand your risk of email impersonation with our Smarter Email Authentication Assessment. When you partner with us, we will provide a documented review of your email domains and design an action plan to remedy vulnerabilities and implement recommended best practice message authentication, including DMARC and BIMI.

Please get in touch today to learn more or download KA2’s Smarter E-Mail Authentication Fact Sheet here..