Business email compromise (BEC) attacks made up more than 50% of incidents within social engineering in 2023, according to Verizon. The bad guys aren’t just increasing the volume of their attack attempts, they’re also getting way more sophisticated and automated in how they craft their impersonation messages. To avoid financial losses, CISOs should consider creating appropriate BEC policy with their legal teams.
âCybercriminals have gotten very good at writing highly convincing email attacks, especially now that many are tapping into generative AI tools like ChatGPT to scale these attacks in both volume and sophistication,â says Mike Britton, CISO for Abnormal Security. âMany social engineering attacks are nearly indistinguishable from legitimate emails, so much so that they can not only deceive the human eye but can also evade detection by traditional email security tools.â
As BEC attacks ramp up in 2024, cybersecurity teams and business managers need to understand that technology defenses can only go so far in mitigating the risk. Email defense is obviously crucial — including everything from anti-spoofing technology like DMARC and SPF to behavioral analytics and other threat detection tools — as are protections like MFA and solid identity and access management. However, to build out effective defense-in-depth, organizations need to layer in smart people-centric business and technology policies that can minimize risks in other ways.
âThe power of a BEC attack lies in its ability to deceive its victim. These types of attack do not typically contain malicious links, malware attachment or phishing hyperlink payloads and are often sent from compromised accounts of trusted sources,â explains James Dyer, threat intelligence lead for Egress. âThey’re highly targeted and well-crafted, appearing like legitimate, everyday requests that would not arouse suspicions. Policies like setting up a procedure to follow when transferring funds will help to evade the social engineering stress tactics that force an employee to act quickly.â
This is why it’s so crucial for organizations to establish a comprehensive BEC policy document that makes users more resilient to attack. Here are eight points experts recommend including in those BEC protection policies.
Acceptable use rules
One of the fundamental sets of rules organizations should be setting at the business and technology levels to head off are acceptable use standards for employees that access email and other business systems. An acceptable use policy (AUP) is the bare minimum for providing policy-based protection against BEC risks, says Britton.
âAUPs outline general security best practices and should include a particular focus on phishing and BEC prevention guidelines,â Britton tells CSO. âThese might include requirements like not clicking on suspicious file attachments or links, not divulging sensitive information to third parties, double-checking requests for invoice payments and payroll changes, and steps for reporting suspected attacks.â
AUPs are the yin to security awareness training’s yang. Whereas AUPs very specifically lays out exactly what the employer expects of their users with regard to things like suspicious links, how to handle changes in invoice details and so on, security awareness training explains why the policies exist. Awareness training offers context about how attackers operate, why they are a target, and how expensive a mistake can be — ideally providing better tools to spot a potential attack and also gaining buy-in for complying with the AUP.
Requirements and frequency for security awareness training
As with AUPs, security awareness training should be stipulated by the BEC policy as a key component for onboarding. However, policy should also dictate regular and frequent training check-ins as the employee continues with the organization. âBecause cybercriminal tactics are constantly evolving, organizations should conduct refreshers every four to six months at a minimum,â says Britton. âConsider researching tools that can help automate these training sessions.â
These updates not only provide valuable reminders of the threat and reinforcement of what a BEC attack looks like at various stages, but they can provide an important venue to include information about how these attack techniques have changed since the last training. âRegularly update employees on evolving BEC threats and tactics through training programs,” David Derigiotis, chief insurance officer for Embroker, a business and cyberinsurance firm, tells CSO. He emphasizes that simulation tests and other audits need to be a part of those regular updates. âThe scam has evolved past email to the use of deep fake audio calls emulating C-suite executives. Use simulated phishing and social engineering exercises to test and reinforce their ability to identify suspicious requests whether they come in the form of an email or deep fake audio or video.â
Mandated BEC-specific incident response plan
Smart boards and CEOs should demand that CISOs include BEC-specific procedures in their incident response (IR) plans, and companies should create policies that require security teams to update these IR plans regularly and test their efficacy. As a part of that, security and legal experts recommend that organizations plan for legal involvement across all stages of incident response. Legal especially should be involved in how incidents are communicated with internal and external stakeholders to ensure the organization doesn’t increase its legal liability if a BEC attack hits.
âAny breach may carry legal liability, so it’s best to have the discussion before the breach and plan as much as possible to address issues in advance rather than to inadvertently take actions that either causes liability that might not otherwise have existed, or increases liability beyond what would have existed,â Reiko Feaver, a privacy and data security attorney and partner at Culhane Meadows, tells CSO.
Feaver, who advises clients on BEC best practices, training and compliance, says BEC policy documents should stipulate that legal be part of the threat modeling team, analyzing potential impacts from different types of BEC attacks so the legal liability viewpoint can be folded into the response plan. âAdditionally, compromised or exposed information regarding business partners, customers, personnel, etc., including confidential information, may have legal consequences that should also be considered in putting together an IRP and in actually response to an actual breach,â she says.
Rules about sharing organizational charts and other operational details
BEC scammers can often craft very convincing social engineering attempts by leveraging knowledge of the organization’s inner workings to target specific employees for account takeover and create a believable request of their victims. For example, knowing that a certain employee was number two to the CFO or an executive assistant to the CEO would help direct their efforts on who to compromise first to start creating believable requests for financial dealings. These more junior employees may have accounts less scrutinized than their high-powered bosses, but an attacker’s knowledge of the business could have them use that access to send a request to another employee for financial dealings with almost the same kind of authority as if it was sent by the CFO or CEO themselves. For this reason, many cybersecurity advocates suggest organizations make it policy to keep operational details like organizational charts and job descriptions on a need-to-know basis.
âJob descriptions, organizational charts, and other details that hackers could use to facilitate targeted phishing scams should be removed from company websites,â says Stephen Spadaccini, CTO and CPO for SafeGuard Cyber. âAvoid posting detailed personal information on social media sites that play into the hands of those looking to personalize their social engineering scams.â
Invoice and financial transaction protocols
One of the most important policies to prevent huge losses from BEC has nothing to do with email defense or tech protections. It’s simply a matter of establishing ironclad processes for invoicing and triggering financial transactions that are resistant to scam attempts. These kinds of business standards and procedures are crucial.
âThis is more about defense-in-depth being applied across an organization into business practices, not just network security. For example, if a request to change payment information arrives via email â whatâs the business process response?â Fortra CISO Chris Reffkin tells CSO. âStandard practices such as defined processes for business requests and established approval hierarchies are a good measure against BECs.â
Those policies should ideally require that all payments be traced back to an approved invoice that includes a verified payee name, address and payment instructions, recommends Roger Grimes, defense evangelist at KnowBe4. âAny ad hoc request for payment must undergo formal review before the payment is issued,â Grimes says. âRequire that all payment instruction changes be verified using legitimate avenues before being approved.â
A strong policy on this front can deflate the sense of urgency and the fear that attackers use against employees, posing as an executive or someone’s boss asking for an abnormal request. âA policy can help protect employees who follow the policy. For example, suppose a boss sends an emergency email from home instructing an employee to pay an emergency invoice. The employee, pointing to policy, can respond that they would need to follow the appropriate, predefined policies before paying the invoice. The policy protects the employee from suffering harm from simply following policy,â Grimes says.
Out-of-band verification for high-risk changes and transactions
Drawing a finer point on invoice and financial transaction policies, businesses should take particular care in how they verify and approve high-risk transactions and changes to financial accounts. âImplementing stringent verification processes for financial transactions and data requests is crucial,â says Igor Volovich, vice president of compliance strategy for Qmulos. âThis serves as a critical defense against BEC attacks, ensuring thorough vetting of every request. Embedding these processes into daily operations creates a robust defense mechanism.â
One of the big ways they can set up a backstop for BEC is to make sure that anything high-risk that is triggered by email is followed up via some kind of out-of-band verification process. This could be phone call, through a secured system, or SMS.
“This is one of the most important policies. Never change payment/banking details based on an email request alone,” stresses Robin Pugh, director of intelligence for Good and CEO of DarkTower. “Whenever a payment information or banking information change is requested via email, a policy should be in place that requires the recipient to always contact the requestor via voice, using a trusted contact method. In other words, call them via the phone number on file and make sure that they have authorized the change.” Pugh says that adding a policy for a second approver to the hierarchy for high-risk transactions can also further reduce risk and cut down on insider threats in the process.
Attackers tend to sit in a compromised email box waiting for some kind of payment activity to give them an opportunity to insert themselves into the process, warns Troy Gill, senior manager of threat intelligence for OpenText Cybersecurity. Even if a contact provides a legitimate document via email, it should still be supplemented with out-of-band verification. “In many cases they will take a legitimate document that has been sent previously and alter it slightly to include their (attacker controlled) account and routing numbers. In this case, the attack will look nearly identical to a routine document from a known contact, the only difference being the account details have changed,” explains Gill. “It is critical that all changes must be confirmed outside of the email thread.”
Request register process
For some organizations a policy asking for an ad hoc out-of-band phone call may not be stringent enough for reducing BEC risk. One strategy for taking verification policies to the next level is to establish an internally secure ‘request register’ through which every request to exchange or change sensitive information will be funneled through, explains Trevor Horwitz, CISO and founder of TrustNet.
âPrevention of BECs requires a broad strategy because of the dual originating threats from external spoofed email and internal compromised email sources. We advocate for a novel strategy inspired by ‘positive pay’ fraud prevention in the financial services sector,â says Horowitz, who’s also served a stint as president of InfraGard Atlanta, a chapter of the FBI’s non-profit association for cybercrime information sharing. âThis policy requires a secondary method of positive verification for all sensitive information exchanges and changes, including payees, banking information, accounts receivable, and employee data. The mechanics include an internally secure ‘request register,’ which ensures positive validation before any information exchange or modifications.â
Through this policy and methodology every sensitive request is registered in the centralized system and then approved through a second factor, be it phone call, one-time passcode (OTP), or a hardware security key such as FIDO2. âUsers are trained to verify sensitive requests through this register before divulging information or making changes,â Horowitz tells CSO.
Open-door reporting
Organizations should work hard to develop a policy, culture, and set of processes that make it easy for employees to report requests incidents that feel off to them — even if they’ve already made mistakes. âItâs important to make sure employees are not scared to report an incident or questionable action they may have taken,â says Feaver. âThe sooner something is reported the easier it is to address, but scared employees may not want to admit mistakes.â
The idea is to set up documented steps and mechanisms for reporting and to try to reward thwarted mistakes more than the organization punishes mistakes. âFor added incentive, I suggest a reward system — a prize pool or gift cards for example — for those that successfully identify and thwart attempted BEC attacks,â Gill says. âThis will help foster a defensive mindset and zero trust mentality and they need to know how to do this safely.â