Defending Against Business Email Compromise

Cybercriminals have targeted email as a lucrative threat vector for years. Many of us can recall the early days of spam and virus attacks, followed by mass phishing emails containing malware. Fast forward to today, and we’re in the thick of the business email compromise (BEC) era.  

Sophisticated BEC attacks - including credential phishing, impersonation, and invoice fraud - are on the rise. According to the FBI's IC3 report, BEC continues to be a billion dollar problem. In Europe specifically, the situation is worsening, with a staggering 123.8% rise in BEC attacks from April 2023 to April 2024. This surge indicates an upward trend in relentless email threats, likely driven by a variety of factors. 

Uncovering The Forces Driving Email Threats

One of the hallmarks of BEC attacks is the use of social engineering, where attackers use detailed information about their victims to write convincing emails. Sometimes, these emails involve impersonation of a trusted executive within the victim’s company - like impersonating the finance department to request an urgent payment for an overdue bill. Other times, they impersonate third parties like charities to exploit international crises and world events, such as the conflicts between Russia and Ukraine and Israel and Palestine. 

Vendor email compromise is also on the rise, where attackers impersonate a trusted supplier to conduct invoice scams. The growing adoption of the Single Euro Payments Area (SEPA), intended to streamline cross-border Euro payments, has inadvertently provided fertile ground for these attacks, where standardised transaction formats make it easier for attackers to create convincing fake invoices. 

SEPA's ability to facilitate faster and cheaper cross-border transactions increases the volume of transactions, offering more opportunities for invoice fraud. 

The recent surge in BEC attacks over the last year is also likely accelerated by adversaries exploiting generative AI (GenAI). GenAI has significantly lowered the barrier to launch social engineering attacks – thanks to tools like ChatGPT, threat actors can now quickly and easily craft highly sophisticated and targeted emails, without the typos and grammatical errors that used to be synonymous with BEC and phishing emails. 
 
With the average user already receiving over 120 emails per day, identifying malicious emails was already a challenge, and it’s even more so now that  attacks are increasingly appearing as authentic. 

The Challenge In Detecting BEC Attacks

Secure email gateways (SEGs) have traditionally been the standard for preventing email attacks. And while these solutions worked well several years ago when classic phishing emails were mainstream, they have struggled to keep up in the age of social engineering. This is because they rely on detecting known indicators of compromise, like known malicious links and blacklisted IP addresses. But threat actors have learned how to bypass these tools. By sending text-based social engineering attacks that target human behaviour rather than using malicious payloads, they can become invisible to conventional SEG detection methods.

Companies that are still relying on traditional tools geared for malicious attachments and links are leaving their employees vulnerable to the growing wave of sophisticated BEC attacks. There is an urgent need to rethink email defences around the more subtle signs of social engineering.

Embracing AI For Next-Generation Cyber Defence 

As attackers continue to evolve their tactics, it’s crucial to educate employees on the methods that cyber criminals use to deceive targets – understanding how to spot suspicious links, urgent requests for payment, and spoofed email addresses will be key. However, with email attacks becoming more advanced and getting even harder to distinguish from legitimate email, security awareness training can only go so far. The most effective defence is to prevent these attacks from reaching employees in the first place. 

AI-powered solutions are a powerful advantage here. Using machine learning and AI, security teams can establish a baseline of normal user behaviour within the email environment – based on characteristics like users’ common text patterns, tone, content, and log in or device activity – to detect deviations indicating suspicious activity. Leveraging defensive AI enables organisations to thwart even the most sophisticated phishing and social engineering attacks that slip past human and SEG detection, ensuring that threats are neutralised before they reach the end users. 

As the sophistication and frequency of phishing attacks continue to rise, driven by advances in GenAI and geopolitical factors, organisations must move beyond traditional security measures to detect and block suspicious activities before they reach employees. 

Companies must continue to exercise vigilance while also adopting modern proactive measures, including advanced AI-driven solutions, to safeguard sensitive information and maintain operational integrity in the face of evolving cyber threats.

Mike Britton is CISO at Abnormal

Image: Unsplash

You Might Also Read: 

What Is Email Spoofing & How to Protect Your Organization:

DIRECTORY OF SUPPLIERS - Email Security:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Large-Scale IT Outage Causing International Disruption
MediSecure Hack - Half The Australian Population Affected »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

INSUREtrust

INSUREtrust

INSUREtrust is a pioneer in the industry, inventing the concept of cyber insurance.

Rockwell Automation

Rockwell Automation

Rockwell Automation offer industrial security solutions to protect the integrity and availability of your complex automation solutions.

CIRT.GY

CIRT.GY

CIRT-GY is the national Computer Incident Response Team for Guyana.

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

Nouveau

Nouveau

Nouveau Solutions is a specialist IT managed services company with a strategic focus on delivering cloud, infrastructure, compliance, network and security solutions.

Centurion Information Security

Centurion Information Security

Centurion Information Security is a consulting firm based in Singapore that specialises in penetration testing and security assessment services.

Industrial Internet Consortium (IIC)

Industrial Internet Consortium (IIC)

The Industrial Internet Consortium is the world's leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).

DatChat

DatChat

DatChat Inc. is a blockchain, cybersecurity, and social media company that focuses on protecting privacy on our devices and also protecting our information after we have shared it with others.

BATM Advanced Communications

BATM Advanced Communications

BATM Advanced Communications is a leading provider of real-time technologies for networking and cyber security solutions.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.

Telenor Cyberdefence

Telenor Cyberdefence

Telenor Cyberdefence is a newly established (2024) cloud-born Managed Security Service Provider focused on the Nordic markets.

BlackSignal Technologies

BlackSignal Technologies

BlackSignal Technologies provides cybersecurity, digital signal processing and electronic warfare products to help DOD and IC agency customers counter near-peer threats and security challenges.

EyBrids

EyBrids

As a forward-thinking cybersecurity consulting firm, we believe that robust security is the foundation for innovation and growth in today’s digital landscape.