Business email compromise (BEC) occurs when cybercriminals infiltrate a work email account with the aim of duping individuals into transferring funds or divulging sensitive data. Typically, BEC attacks target senior staff or those with authority over financial transactions.
Regrettably, BEC attacks, a subset of phishing attacks, are becoming increasingly prevalent. According to a recent government report on cyber threats, 84% of businesses and 83% of charities experienced a phishing attack in 2023 alone.
On a positive note, the National Cyber Security Centre (NCSC) has released new guidance on BEC, offering practical steps to help organizations, particularly smaller ones lacking resources or expertise, mitigate the risk of falling victim to such attacks.
Detecting BEC attacks can be challenging, as cybercriminals employ sophisticated tactics to manipulate victims into quick action. Our guidance outlines strategies such as reducing digital footprints, enhancing staff awareness of phishing emails, implementing the principle of ‘least privilege,’ and enabling two-step verification to bolster defenses against BEC attacks. Additionally, we provide guidance on actions to take if you suspect your email account has been compromised or if you’ve unwittingly made a fraudulent payment.
While following our guidance can reduce the likelihood of BEC attacks, it’s important to recognize that no organization is immune to cyber threats. We advise planning for potential compromises and honing response capabilities through practice exercises, such as those provided by NCSC’s Exercise in a Box, to effectively address threats in a controlled environment.
Source: ncsc.gov.uk
