Business Email Compromise attacks warning from BSI

BSI Cybersecurity and Information Resilience are advising organizations to remain vigilant and alert to Business Email Compromise (BEC) attacks during the summer months. As annual leave season peaks, attackers are increasing their frequency of attacks tricking employees to open unsafe emails. Most commonly a BEC attack involves an attacker, who is pretending to be a trusted contact, tricking a targeted individual into giving away credentials (username and password). It can include transferring payments or funds through password reset requests, social media account changes or updates or simply a “colleague” asking the targeted individual to “login” and approve a payment.

A recent report highlighted that nearly 60 per cent of organizations saw attempts that imitated more than five identities within the company. Very Attacked People (VAPs) were also highlighted as being those in the following roles: Executive; Upper Management; Management; as well as individual contributors.

Richard Lambe, Senior Security Awareness Consultant at BSI, explains: “BEC attacks continue to be prevalent and are on the increase. Attackers are getting information through social engineering which includes making phone calls, accessing social media and the internet for data to collate plausible profiles.

This research can reveal who is on annual leave allowing attackers to develop a more targeted impersonation to generate believable emails. The cybercriminals can build a rapport with recipients to gain their trust by impersonating a trusted company supplier, boss or colleague. The recipient of the email will assume the attacker is who they are impersonating and will typically process a request without hesitation. Often by the time they realise it’s not a legitimate request, it will be too late.”

“Unmanaged digital risks can have a direct impact on business operations including loss of productivity, financial loss and personnel risk. A crucial step for management is to work closely with their security team to understand the threats and set up awareness training for all staff. According to Gardaí, invoice redirect fraud has caused losses in excess of €4.4 million to date this year and globally BEC incidents are reported to result in $12.5 billion losses. It’s vital that employers are aware of the prevalence of BEC attacks and educate employees on how to spot a malicious email. If in doubt, verify the origination of the email and contact the email sender, via other means, to corroborate the request,” concludes Richard.

BSI provides a range of solutions to help organizations address their information challenges covering cybersecurity, information management and privacy, security awareness, compliance and testing. For more information visit bsigroup.com/cyber-ie.