As the threat landscape evolves, businesses face an increasingly significant danger in the form of BEC and BCC (Business Communications Compromise) attacks. These sophisticated techniques exploit human vulnerabilities, making them difficult to detect and posing substantial risks to organizations. Factors such as financial gain, low technical barriers, and the evolution of attack vectors contribute to their growth.
In this Q&A with SafeGuard Cyber CEO Chris Lehman, we explore the reasons behind the escalating threat, emerging techniques employed by cybercriminals, vulnerable sectors, compliance risks, and effective prevention strategies. Why do you believe that BEC and BCC (Business Communications Compromise) is becoming an increasingly significant threat to businesses? Are there any specific factors or emerging trends contributing to its growth?
Humans are the biggest variable for the increasing threat of BEC and BCC (Business Communications Compromise). The Verizon Data Breach Investigations Report states that 82% of all breaches that occurred last year were the result of human exploitation. That’s because no matter how much training we do or how much awareness we create, the human eye can’t detect the sophisticated attacks targeted against them. The industry tends to focus on securing applications and infrastructure. While those things are important, the industry in general struggles with how to secure the human element. Our time, energy and resources will be better spent trying to make that more secure. And there are ways that you can make humans and their communications more secure today than ever before.
BEC and BCC attacks are increasingly significant threats to businesses due to the following factors:
Sophisticated Techniques: Cybercriminals employ advanced social engineering tactics to deceive employees and gain unauthorized access to sensitive information.
Financial Gain: BEC/BCC attacks are highly lucrative. Threat actors target financial transactions to redirect funds or initiate fraudulent transfers.
Low Technical Barriers: These attacks rely more on human manipulation than advanced technical skills, making them accessible to a wide range of threat actors.
Lack of Awareness: Employees often lack proper training and awareness, increasing the likelihood of falling victim to fraudulent emails.
Global Connectivity: Interconnected business ecosystems provide opportunities for cybercriminals to exploit complex relationships and communication channels.
Evolution of Attack Vectors: Adoption of new communication platforms and technologies expands the attack surface for BEC and BCC attacks.
Evasion of Traditional Security Measures: These attacks often bypass email filters and antivirus solutions, making them harder to detect.
To combat these threats, businesses should prioritize employee training, implement multi-factor authentication and establish robust verification processes for business transactions. Continuous updates and strengthened cybersecurity measures are also crucial to staying ahead of these evolving tactics.
Are there any new BEC or BCC techniques being employed by cybercriminals that organizations should be aware of?
Attackers have evolved their techniques by moving away from traditional phishing attacks in which they deliver malicious files and links to using social engineering attacks.
Social engineering involves using techniques such as urgency, deception and impersonation, and those techniques typically go undetected by traditional security stacks.
A couple of very high-profile breaches that occurred recently are good examples of this.
Uber and Take-Two were both hit within about a week of one another with social engineering attacks that started off in WhatsApp, and then moved laterally from that application. These incidents are a great example of how attackers are using advanced techniques that go undetected by the traditional security stack as a way to circumvent the defenses that corporations have.
Which sectors are most commonly affected by BEC and BCC attacks and why do you think they are particularly vulnerable? Are there any specific characteristics or factors that make them attractive targets?
Commonly affected sectors by BEC and BCC attacks include finance/banking, healthcare, manufacturing/supply chain, real estate/construction, and government/public sector. They are vulnerable due to factors such as high transaction volumes, reliance on email communication, complex supply chains, sensitivity of data and varying levels of security awareness.
To mitigate risks, these organizations in these industries should prioritize employee training, implement robust email security measures, conduct regular security assessments and establish strong authentication protocols for financial transactions.
What are the potential consequences of BEC or BCC for organizations that are required to comply with applicable regulations such as SEC, HIPAA, PII, GDPR or CCPA? How can BEC and BCC attacks pose compliance risks?
BEC and BCC attacks pose compliance risks for organizations subject to regulations like SEC, HIPAA, PII, GDPR, or CCPA, including:
Data breaches and violations of privacy regulations.
Financial losses and non-compliance with SEC regulations.
Failure to meet security standards and protect sensitive data.
Breach notification obligations under GDPR and CCPA.
To mitigate these compliance risks, organizations should implement robust security measures, train employees, and ensure compliance with relevant regulations. Prompt incident response and data breach notification processes are also crucial. What are some effective prevention and mitigation strategies that businesses can implement to protect themselves against BEC and BCC attacks? How important is employee training? How can they recognize and respond to BEC/BCC-related threats?
To prevent and mitigate BEC and BCC attacks, businesses can:
Provide comprehensive employee training on email security and awareness.
Implement robust communication security measures and authentication protocols.
Enable multi-factor authentication for email accounts and critical systems.
Conduct due diligence for vendors and suppliers, especially for financial transactions.
Establish approval processes and enhanced verification procedures for sensitive transactions.
Regularly assess and address security vulnerabilities.
Develop an incident response plan tailored to BEC and BCC attacks.
In addition to the strategies in the list above, newer multi-channel security controls can be adopted to address multi-channel communication risk. Determining user identity, behavior analytics, context and intent of messages are integral to your protective mechanisms. Suspicious attachments, poor grammar and format, and generic signatures and greetings can be indications of ongoing social engineering exploits. With Natural Language Understanding (NLU) technology and Predictive Behavioral Analytics, enterprises can quickly determine the context and intent of communications in cloud communication channels – both inbound and outbound. By evaluating attributes such as lexical features, spelling features, and topical features, NLU tools can determine the likelihood that the source message is a social engineering attack across multiple channels.