E R T N
P
X
E INIO
OP
Facing
down the
BEC threat:
Why it’s time
for CISOs to
get smarter
Andy Baldin, VP EMEA – Ivanti, focuses on how
best to defend against business email compromise
as malicious actors learn to skirt traditional
cybersecurity defences and make their messages
increasingly convincing.
esearch shows
that Business
Email Compromise
(BEC) is still a
critical threat
to businesses
around the globe
– in fact Verizon’s 2019 Data Breach
Investigations Report (DBIR) highlighted
that executives are six times more likely
to be a target of a social engineering
attack in comparison to the previous
year and c-level executives are 12 times
more likely to be targeted.
R
For these types of attacks,
cybercriminals use social engineering
tactics, often in combination with
specific and sensitive information
gathered via malware and hacking
campaigns, to successfully
impersonate a high-level employee or
third-party partner.
www.intelligentciso.com
|
Issue 15
Andy Baldin,
VP EMEA – Ivanti
Also known as CEO fraud, whaling, email
spoofing and a host of other monikers,
BEC is clearly emerging as a major
enterprise cyber-risk.
Verizon’s report also found BEC attacks
accounted for 370 incidents or 248
confirmed breaches of the incidents
analysed and other industry research
states that it cost global organisations
nearly US$1.3 billion (£1 billion) last year.
The bad news is that the fraudsters
behind it are continuing to innovate and
scale their operations to maximise ROI.
A combination of people, process and
technology is the best response.
What is BEC?
BEC is, in essence, a very modern
version of an age-old confidence trick.
Most commonly, a malicious third party
poses as a senior executive, CFO or
CEO and tries to trick a member of the
finance team into making a large fund
transfer to a third-party bank account
under their control.
On paper these emails should be
easy to spot. But the anonymity of the
Internet and the reality of day-to-day
operations inside many companies
allow the scammer to improve their
chances of success.
Classic social engineering techniques
help to create a sense of urgency, the
idea being to force the recipient into
carrying out instructions without thinking
too much about the repercussions.
There are several variations on this
theme. Some send emails spoofed
not from the c-level but instead from
foreign suppliers with fraudulent
41