Business email compromise training is wise given cyber risk

Microsoft report warns of accelerating cybercriminal activity and highlights merits of business email compromise training as threats ramp up.
22 May 2023

Shifting tactics: business email compromise attacks are becoming more sophisticated, emphasizing the need for firms to invest in training to raise cyber risk awareness. Image credit: Shutterstock Generate.

Getting your Trinity Audio player ready...

• Biggest security risks can start with email
• Microsoft reports accelerating cybercriminal activity
• Business email compromise training helps firms

Making staff aware of cybersecurity threats is a constant challenge for firms. Lessons fade and bad actors are always sharpening their skills, which is why companies need to take a continuous approach to educating their employees. And the consequences for organizations that ignore the risks could be severe. One of the biggest threats remains so-called business email compromise attacks, and Microsoft – writing in its latest Cyber Signals threat intelligence briefing – warns of accelerating cybercriminal activity in this area. But firms can take steps to defend themselves, which includes business email compromise training to help employees spot the warning signs.

What is a business email compromise attack?

Business email compromise attacks can take a variety of forms, such as an instruction to make an urgent payment, update a supplier’s bank details, provide security credentials, or send other sensitive information. But they share a common theme – impersonation. Bad actors will attempt to pose as senior executives, familiar customers, IT support members or other trusted sources, and trick employees into performing actions damaging to the business.

Helping adversaries is the vast amount of detailed information that’s become available on the web and across social media to enable sophisticated social engineering. Once a target has been identified, bad actors can be extremely tenacious and resourceful and will use a variety of techniques to ratchet up the urgency and credibility of their requests.

Mimecast’s State of Email Security 2023 report, which collates insights from 1700 CISO’s and other IT professionals, notes that 97% of respondents have been targeted by email-based phishing attacks. And Microsoft’s Cyber Signals briefing further highlights the scale of the issue, with snapshot data showing 156,000 business email compromise attempts detected daily. What’s more, threat intelligence points to attackers becoming more sophisticated in their approaches, either directly or through cybercrime-as-a-service (CaaS) providers.

38% business email fraud increase

CaaS platforms make it possible for bad actors to mount malicious email campaigns on an industrial scale, as noted by Microsoft security researchers and others. Adding to the risk is the trend for end-to-end business email compromise services to include IP information on potential victims, which helps attackers to bypass detection flags such as impossible travel.

Tasks carried out by a single account from two different locations that would be impossible for a user to travel between based on the timing of the requests will likely trigger a security flag. But having IP details on their victims helps bad actors remain under the radar. “Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent impossible travel flags, and open a gateway to conduct further attacks,” write Microsoft security researchers in their May 2023 Cyber Signals briefing.

But just because the sophistication of attacks is on the rise doesn’t mean that organizations need to fall victim to the latest adversary tactics. A combination of business email compromise training deployed at the most memorable moments together with good operational processes will stand firms in good stead. For example, deploying two-person controls and utilizing multi-factor authentication features will help to build a safety net. Even if one employee is fooled, bad actors can still be blocked from carrying out a successful attack.

The rise of business email compromise attacks highlights why cybersecurity has to be considered right across an organization and not just put on the shoulders of IT. Everyone in the company needs to be vigilant, including human resource managers, finance employees, and other staff with access to sensitive business information. Attackers are targeting not just banking and payment details, but also intellectual property.

DMARC defense

Another security defense is the use of email validation tools such as Domain-based Messaging Authentication Reporting and Conformance (DMARC), which can warn if an email is being spoofed. As mentioned, business email compromise attackers will look to impersonate a victim’s colleagues and senior management, and organizations that have DMARC protocols in place make such deception harder for adversaries to engineer.

DMARC mitigates email phishing through two separate validation checks – Mimecast likens the process to checking a delivery van’s license plate as well as the driver’s ID, to determine that a package is being couriered by the expected source. But despite high levels of interest in using DMARC – Mimecast’s State of Email Security 2023 report suggests that 80% of respondents are keen to use the method to thwart email spoofing – the number of firms that have deployed systems remains low.

Upskilling staff with business email compromise training is a wise move, given the cybersecurity risks facing organizations. Hoxhunt, which boosts employee awareness through regular micro-trainings that can be set to run 1-3 times per month, reminds customers that the biggest security risks can start with email. And they are not alone. “Today’s cyber threats rely on human interaction, not just technical exploits,” comments Sara Pan – Senior Product Manager at Proofpoint, another firm emphasizing that business email compromise is an essential security awareness training topic.