This guest post was contributed by Trevor Collins, Network Security Engineer, WatchGuard Technologies
Business email compromise (BEC) is a targeted form of phishing in which attackers try to scam companies out of money or goods or trick employees into giving up sensitive info. Instances of these attacks have continued to increase, causing devastating impacts. Between 2016-2021 the FBI's Internet Crime Complaint Center (IC3) reported $43 billion of global exposed losses due to BEC.
Verizon's Data Breach Investigations Report also showed that web applications and email are the top two breach vectors. Because they're often internet-facing, web apps and email are a preferred avenue for attackers to try and slip through an organization's security perimeter – and the methods used to exploit them are only growing more devious.
So, what can security teams and end users do to combat these increasingly sophisticated email threats? Here are three tips on how to keep email attacks from succeeding.
Build a security-first culture
Most security professionals understand that no defense is perfect, especially with human behavior involved. Since successful attacks are often the result of human error, it’s essential to provide users with security awareness training. The importance of training only grows as the methods for deceiving end-users continue to evolve.
Security teams must continuously train users to be hyper-aware of the tell-tale signs of a business email compromise attack. They need to be able to spot email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it's essential that users understand the entire range of threats.
It's essential for IT and security teams to build a culture that promotes security awareness and makes users feel comfortable flagging an issue or suspicious activity. By encouraging users who are the victim of a phishing attempt to notify IT, threats can be addressed quickly. On the other hand, shaming users will only discourage them from being forthcoming about a mistake they may have made, resulting in further risk of damage to the organization. It’s critical that everyone feel like they are part of the security team. More watchful eyes on the lookout for phishing attempts and malicious activity makes for a stronger security posture.
A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn't always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.
Watch out for evolving phishing attempts
As phishing has become more advanced the success rate of email attacks has gone up. Historically, BEC would entail a bad actor stealing a user's alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don't encounter multifactor authentication (MFA), which could remediate the attack.
However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the authentication transaction and securing an authenticated session.
Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message's legitimacy before carrying out an action that could damage you or your organization.
Adopt a layered security approach
There is no magic bullet to cybersecurity; you can't rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary for an effective defense. If one layer fails, another will pick up the slack.
Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of signature-based detection) to identify malicious software and keep it from infecting computers and other devices.
There are tools security teams can use to quickly identify and respond to attacks that slip through the cracks. Robust endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, which remains the best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.
Realistically, you will never get the click rate on malicious emails or messages down to zero. But getting click rates as low as possible can give your technical controls a better chance at stopping attacks that get through. Educating all users in your organization on cybersecurity best practices, recognizing phishing attempts and adopting a layered security approach will help build your business's defenses against email and message-based threats.
###