Business email compromise (BEC) is big business for cybercriminals. According to the 2021 FBI Cybercrime Study, BEC phishing was responsible for nearly $2021 billion in losses in 2,4.
BEC is basically a type of phishing attack. Lookout examines how modern phishing has evolved beyond email. With the proliferation of smartphones and tablets, attackers are now going far beyond email. They are now also using other platforms such as text messages, messaging apps like Signal and WhatsApp, and social media apps to attack and compromise their targets. Given the countless SaaS applications employees use every day, a single successful phishing attack could impact the entire organization. The cloud has made productivity easier, but it has also increased the impact of phishing.
What is Business Email Compromise, BEC?
In traditional BEC attacks, the attacker buys or collects contact lists containing the names, email addresses, and phone numbers of CFOs, finance teams, and vendors. A targeted message is sent impersonating a senior executive (usually the CEO) and containing an urgent payment request, e.g. B. is to be made for a time-critical project. Attackers often send out tens of thousands of phishing messages a year, and if just one person takes the bait, it can result in huge losses for a company.
However, BEC has developed far beyond these classic parameters. As the attacks become more popular, organizations need to evolve their defenses. As with any phishing attack, awareness and education are the first step in prevention, but certainly not the only one.
Think beyond email to prevent phishing risks
Mobile devices pose a greater challenge for phishing targets, as cybersecurity training often does not address mobile devices. Phishing training courses typically ask users to look for indicators that can only be seen on a desktop computer. Unfortunately, many mobile email apps do not display the sender's email address and limit the ability to preview hyperlinks to potentially fake websites.
Compounding the problem, businesses rely on mobile communications at all times of the day, especially now that most users are working remotely. Executives communicating with their teams via mobile email or messaging apps expect immediate attention, which tempts employees to fall for phishing scams.
Also, there are more channels through which attackers can spread their scams via mobile phone. Many users don't expect phishing links to be delivered through platforms like SMS messaging, Facebook Messenger, WhatsApp, or Signal, but it's becoming increasingly common. The FBI even issued a public noticethat attackers are now using virtual meeting platforms to conduct BEC scams.
Modern phishing is the gateway into companies
Not only are mobile devices much easier for phishing, but they have just as much access to the applications and data that businesses care about. As users can work from anywhere, whether it's a smartphone or tablet, they're increasingly relying on these devices. Any mistake they make on these devices, even if they are managed by the IT department, poses risks that can ultimately compromise the infrastructure.
There is no one-size-fits-all approach to preventing BEC and phishing in Lookout's experience, but a good place to start is by recognizing that phishing attacks are not limited to email. Any strategy that focuses only on email overlooks the methods used to attack mobile users. It also requires a unified platform approach that secures all endpoints, including mobile devices, against web-based threats.
More at Lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.