How to Protect Your Business From One of the Most Invisible Phishing Attacks

How to Protect Your Business From One of the Most Invisible Phishing Attacks

When an accounts payable employee at a Manhattan advertising firm received an email from the CEO instructing the firm to wire $49,000 to another firm’s bank account, that employee dutifully complied. However, that email didn’t come from the CEO. And while the listed firm was real, the bank account was actually a shell company set up by a personal trainer utilizing a cyberattack strategy called business email compromise, or BEC.

BEC relies on practices similar to other email spear-phishing scams. Phony emails appearing professional in design and address – including accurate facts and figures and customized content that can bypass suspicion – are sent to employees requesting money be wired to specific accounts or that sensitive information be revealed. Often, the sender masquerades as an executive, leveraging implied authority and causing these requests to be fulfilled with little or no hesitation.

All of this makes BEC one of today’s most pervasive and lucrative forms of cyberattack. It also means that organizations hoping to fortify themselves against such attacks need to create a cybersecurity strategy that’s equally comprehensive.

Preventing an attack you can’t recognize

BEC attacks have proven to be so successful because of their increasingly sophisticated ability to mimic authentic communications and thus mitigate users’ suspicions. More cunning in its deception and more ambitious in its targeting than other spear-phishing schemes, BEC attacks ironically require few technical skills. All that’s needed is some creativity and a willingness to shirk morality, making it especially challenging for organizations to combat.

Between October 2013 and December 2016, the FBI estimates that more than 40,000 BEC attacks were carried out in the U.S. alone. These attacks led to $5 billion in losses, $346 million of which happened in only the last half of 2016.

Ultimately, organizations hoping to prevent BEC attacks need to filter malicious emails out before users are forced to decide what is or isn’t real. Because by the time an email arrives in a user’s inbox, it’s usually too late. Here are three ways entities can bolster their defenses.

  • Implement impersonation filtering. BEC attacks commonly manipulate an authentic email address so subtly that users aren’t likely to spot the difference. For example, they may alter one character or add an extra letter, such as instead of However, organizations can implement impersonation filtering tools as part of a threat protection service that catches these discrepancies. Impersonation filtering can also analyze a sender’s name and address by cross-referencing it with entries in an authenticated database directory, alerting the recipient if it finds a mistake.
  • Increase protection with a multilayered approach. The most suspicious features of BEC messages won’t be spotted by the average employee, especially one who’s busy. But they can be blocked by threat protection that can identify spoofed emails and verify identities across varying levels. Adding layers of filters that review the email source and carefully analyze the sender will further prevent BEC scams from ever entering the inbox and jeopardizing your employee and organization.

  • Educate users and create a confirmation policy. The most sophisticated scammers can gain access to an executive’s actual email account. Any messages then sent out automatically bypass authentication tools, making unsuspecting recipients the last line of defense. Organizations that focus on educating users about the threat of BEC and the tactics used by hackers create a healthy culture of security. Putting policies in place that require certain types of transactions to get independent verification also helps expose scams for what they are. And while making confirmation mandatory may be more inefficient, a little added time is worth more than the thousands of dollars in losses.

Because BEC is so effective and lucrative, organizations hoping to prevent it need to realize what they’re up against. By implementing a multilayered approach and impersonation filtering, educating users, and creating good governance practices, companies can help protect themselves from these attacks. Given all the money to be made, these attacks aren’t likely going away, and organizations that act now are going to best position themselves to defend against BEC and future cyberthreats.

Leave a Reply

Your email address will not be published. Required fields are marked *