Your company needs a BEC policy and five other email security trends

Hardly a week goes by without news of another email-based attack via phishing or Business Email Compromise (BEC) scam. These types of attacks can cause a great deal of damage to infrastructure and an organization’s image, whether it is a large enterprise, a small-medium business (SMB) or even much smaller retailers. The FBI (Federal Bureau of Investigation) reports that the average financial loss per BEC attack is $125,000 and last year estimated the Business Email fraud industry to be valued at a whopping $50 billion.

These attacks are increasingly creative, and typically involve impersonation of someone such as the head of an organization or finance. If someone responds on behalf of the executive, they could unknowingly give away the keys to the kingdom, causing significant losses. With that in mind, let’s review some of the larger email security trends.

• BEC policies are becoming more common: BecauseBEC attacks are a significant problem it is being increasingly recommended that companies enact appropriate policies. These should include topics such as incident response, payment information rules, limiting knowledge of critical operational information and regular security training. Details regarding payment, names of top executives and contact information are especially important, since it is often the case attackers use phishing and social engineering tactics to make an email recipient -- such as an executive assistant - believe they are a reputable company contact but suddenly request a change in payment.
• A shift from government targets to SMBs: Some campaigns are moving away from their focus on U.S. entities – especially the federal government – and shifting to focus on business. One example is TA4903, a campaign that email security firm Proofpoint has been tracking for several years. Proofpoint describes TA4903 as “a persistent, financially motivated threat actor that generally targets organizations in the U.S. with high-volume email campaigns.” While the campaign initially spoofed several U.S. government departments, including the Departments of Transportation, Agriculture and Small Business Administration, Proofpoint has observed a shift to small and medium business in industries including construction, manufacturing, energy, finance, food and beverage, among others. However (and separate from the TA4903 campaign) two other industries stand out when it comes to BEC attacks: healthcare and real estate. : healthcare and real estate.
• Healthcare and real estate need to pay close attention: As it relates to email-specific attacks, the healthcare industry took it on the chin in 2023. According to another Abnormal Security report, this one from September 26, 2023, healthcare experienced a167 percent increase in BEC attacks since the beginning of that year. Another industry that is often a target of bad actors conducting BEC scams is real estate. In February 2023 Europol dismantled a cyber gang connected to a $40 million BEC scam that targeted a Parisian real estate developer. The company was defrauded of nearly 38 million euros (over $40 million).
• Email-based attacks against Europe are increasing A June 2023 report from Abnormal Security says that in the US, there were an average of 482 attacks per 1,000 mailboxes in June 2022, but the number jumped to 2,553 attacks by May of 2023 -- a fivefold increase. But when looking at the impacts of BEC attacks in Europe, incidents increased sevenfold during the same period—from an average of 392 attacks per 1,000 mailboxes in June 2023 to 2,842 attacks, the first time Europe suffered more than the US.
• AI is being used to both destroy and protect: We hear a lot about the potential for massive progress with the onset of Artificial Intelligence, but also a great deal about its dangers. While cybercriminals are already employing AI-based email tools in their hacks to help avoid problems like spelling mistakes to make emails appear legitimate, there are ways that AI can also help prevent an attack. For example, AI tools such as ChatGPT can be utilized to detect fraudulent emails while other machine learning tools can also identify unusual behavior in email communications -- which could help to identify a BEC campaign early on and stop it in its tracks.
• Industry policies on email are shifting: Recently Google and Yahoo set new policies that had a major impact on email marketers worldwide when both email providers began to block emails from companies not adhering to the widely used email protection protocol, Domain-based Message Authentication Reporting and Conformance (DMARC). Based on a CA/Browser guidelines there are  more changes coming specifically regarding the use of Certificate Authority Authorization (CAA). This will become necessary for certificate authorities, where a check must be performed before we will be able to issue S/MIME Certificates against your domain. The goal is to ensure that a CA is authorized to issue certificates against public domains. Implementing CAAs will add another layer of security to your Domain Name System (DNS), which in turn, improves the security of both domains and sub domains, and all emails originating from those domains.  Be sure to stay on top of these potential changes so your organization is protected.

Progress in the fight against BEC attacks

While it is slow going, authorities are gradually making more arrests in cases of email fraud.

On May 21, a US resident was sentenced by the US Department of Justice to 10 years in prison for laundering more than $4.5 million resulting from a BEC scheme. The man, Malachi Mullings, was sentenced for crimes which included defrauding a health care benefit program and running a romance fraud scheme. The 31-year-old opened 20 bank accounts to launder millions of dollars in fraud proceeds. Also, in March a Nigerian national pleaded guilty in a U.S. court for his role in a business email compromise fraud scheme that caused roughly $200,000 in losses.

Despite the progress being made in the fight against email-based cyber-attacks, it is crucial for all companies to guard their email carefully and stay secure. In addition to closely following industry groups like the CA/Browser Forum, instituting your own BEC policy, and keeping critical company data “close to the vest,” also consider using Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates. These provide additional protection for point-to-point message encryption, provide verification, facilitate non- repudiation of origin, and help in maintaining data integrity

By taking these steps your company, executives, employees, board members, investors – and your customers -- will be thankful you did.

Image credit: denismagilov/depositphotos.com

Ashish Dhiman is Product Manager, GMO GlobalSign.