Business email compromise (BEC) scams—a type of phishing attack—are a growing concern for organisations across sectors. In fact, according to recent government data, 84% of businesses and 83% of charities suffered a phishing attack in 2023. The National Cyber Security Centre (NCSC) has recently published new guidance on BEC, including practical steps to help organisations reduce the likelihood of falling victim.
What Is BEC?
BEC is a phishing attack where a cyber-criminal impersonates a legitimate source to trick employees into transferring money, divulging confidential data or engaging in other compromising activities. The perpetrators of BEC attacks typically send emails that appear to be legitimate, asking for business-related payments. These cyber-criminals may pose as high-ranking employees, suppliers, vendors, business associates or other entities.
Unlike conventional phishing attacks, which often target large groups, BEC attacks are tailored to entice specific individuals, making them more challenging to identify and potentially more destructive.
The NCSC’s Guidance Explained
The NCSC’s new guidance recommends organisations take the following steps to thwart cyber-criminals and mitigate the risks of BEC scams:
- Increase staff awareness. Employees are the first line of defence against cyber-attacks. Organisations should provide robust training to help staff spot phishing emails and report them swiftly.
- Implement multifactor authentication (MFA). Organisations should enable MFA, a multi-step login process, on all online accounts so that knowing a password is insufficient for threat actors to gain entry.
- Apply the “least privilege” principle. Organisations should only provide employees with access to the systems, networks and data they need to do their jobs and nothing more. For example, only a few select employees should be allowed to authorise payments.
- Review digital footprint. Threat actors can leverage information from social media accounts to craft targeted BEC scams. Staff, especially senior executives, should review their online account privacy settings and consider ways to reduce their digital footprint.
The NCSC’s guidance is particularly pertinent for smaller businesses, which may lack the resources to implement the NCSC’s existing guidance on phishing attacks.
Conclusion
Government data reported that phishing attacks—including BEC scams—now impact a majority of businesses. Therefore, organisations should review their cyber-hygiene measures and cyber-insurance cover to ensure ample protection.
Visit the NCSC website to view their guidance in full.
Talk to one of our experts today for additional cyber-security resources and insurance solutions.
Contains public sector information published by GOV.UK and licensed under the Open Government Licence v3.0.
The content of this publication is of general interest and is not intended to apply to specific circumstances or jurisdiction. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice from their own legal counsel. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2024 Zywave, Inc. All rights reserved.
