FBI complaint centre reveals that in last from October 2013 to May 2018 over $12.5 billion were lost to BEC attacks, also known as scams, phishing or combination of social engineering attacks. Companies responded with training of their employees in order to raise security awareness.
Christopher Hadnagy from Social Engineering LLC gives us few tips on how to respodn to such attacks:
1. Don't assume that everyone knows what BEC!
Many users don't know the difference between phishing and more targeted spear phishing, and many don't know that vishing is the voice version of a BEC. There are also combination attacks where the bad guys will follow up an email with a phone call pressuring an employee to make a wire transfer. Organizations must educate users so they are aware of the threat and understand the different types of attacks.
2. Let your employees know that they are safe to report BEC to someone.
Employees shouldn't be worried about losing their jobs or getting into trouble with law enforcement, if they are the victim of a BEC scam. Create an open environment where it's clear to whom and where to report an incident - and reward positive outcomes. While a financial reward can work for an employee who identifies and stops a social engineering attack that saves the company thousands of dollars, public recognition in a company-wide email or an open company meeting can also be effective and appropriate. Those who fall for BEC several times however should face the consequences.
3. BEC prevention is a long term investment.
Companies should have to make a long-term investment in training because it's not possible to simply write a check for a new piece of technology and apply a fix. Obtaining results takes several months, even years, of consistent training. Merely offering training videos or reading material isn't sufficient: employees should expect monthly or quarterly phishing and vishing tests, and organizations then should keep metrics on how employees perform on those every several months.
Some companies take within one- to three years reach the point where 70% of their users are reporting BECs, and only 10% actually click on phishing emails. It takes time to get them there training-wise and corporate culture-wise: very often when they first start a testing program, users will click on the emails up to 70% of the time. It is also important to identify employees who are failing the most and give them additional training, as well as the newcomers to the organization.
4. Define procedures and policies for your security
Andy Norton, director of threat intelligence at Lastline, says when new employees start with the company, their on-board training should include security awareness that defines the nature of social engineering threats and how employees should respond. Companies also should establish clear guidelines for how and when a funds transfer can actually happen.
Teach users to avoid getting rushed into responding to BEC messages: threat actors often create a sense of urgency that flusters the victim and can hurry him or her into falling for the scam, he notes.
Predefined and specific communications policies are key as well, according to Adams. Users should be clear on who to call in the event of a BEC attack, whether a specific IT person or the company help desk, for example. If a large sum of money has been lost, the finance department should be contacted and it should be clear who is designated to call law enforcement.
5. Know when and where technology can help you
There's no quick security tool fix to BECs, there are situations where technology can be useful in detecting them. Behavioral analysis tools, for example, can analyze incoming attachments and URLs for malware in emails that contain malicious payloads, often for the purpose of stealing user credentials.
Mimecast's Adams adds that companies often have multiple security tools but don't take advantage of all the features they already have available to them. For example, they may have email security set up, but haven't enabled or optimized the settings for phishing. Before buying yet another tool, see if there are features in existing products that can help the security team block suspicious emails. Adams says companies can also use technology to develop training modules, videos, phishing tests, and follow-up reports.
6. Look to crime insurance policies that will cover your losses
There are several insurance companies that won’t cover a claim if the victim was tricked into sending a fraudulent wire transfer, Norton warns. If the insurance company doesn’t automatically cover a BEC, with the help of an attorney, add a clause that covers your organization in the event of a BEC.
The National Law Review recently recommendedthat companies look to crime insurance policies to cover losses from a BEC. Many of these policies will cover losses for computer fraud or funds transfer fraud. Security experts recommend asking your attorney and insurance broker about these kinds of plans.