Go back two decades and business email compromise (BEC) was a major threat to business security. Despite the advances of technology and cybersecurity, BEC is still as big of a threat as ever. However, it doesn’t need to be the case. There are solutions out there that can not only protect firms from malicious emails but prevent them ever getting into the inbox.
BEC is a form of phishing where a criminal attempts to trick an employee into clicking a link that would download harmful viruses or get the employee to transfer funds under the guise of a fake invoice. What makes BEC such a major treat is that it can come in a variety of shapes and sizes.
Often the criminal will impersonate a brand, or they might leverage a compromised email address, such as that of a senior member of staff, to make the targeted user trust the contents of the email. The method of the attack can also differ, making it easier for an employee to slip up. For example, an email might leverage link manipulation where the user is taken to a fake website that looks similar to the intended destination, or they could leverage clone phishing, which is where the attacker has intercepted an email and changed the contents within. Other attacks include text-in-picture, whaling, spear phishing and social engineering. The scale of BEC shows how dangerous it is and how easy it is for employees to slip up.
Deryck Mitchelson – chief information security officer at cybersecurity giant Check Point – finds it incredulous that BEC is still the number one threat in 2023. So why is BEC still such a major issue? Mitchelson attributes it to several contributing factors. The first is that a lot of organisations have moved from on-premises solutions to cloud service providers. This has caused a bit of confusion of how well protected firms think they are. A lot of these service providers offer add-on tiers for things like compliance and additional security, but that doesn’t mean a firm is fully protected.
Firms still need to have the same checks and balances to ensure everything is secure. Mitchelson added that firms should also speak to a third-party provider, like Check Point, who can work with cloud service providers and ensure a firm is actually protected from the BEC threats.
The second reason BEC attacks are still so prevalent in the world is because they are just so easy. While it is estimated that a BEC attack costs businesses an average of $5m, criminals can run these types of attacks relatively cheaply. Making these types even more attractive for criminals is that they can be run without any real technical capability. There are even free software tools that let users build a landing page that looks like Salesforce, Microsoft 365 or other websites. Mitchelson explained that there are some great templates available online and even tools like Chat GPT can help a criminal easily build a campaign that looks legitimate.
“You can ask Chat GPT to write me an email, as if I was the CEO of a company. It will actually write emails like a leader would, rather than like a hacker would. It’s where we are now with technology advances and the threats that we’re actually seeing, which is making the situation much worse.” Making the attacks even more attractive is the high returns they can offer. A criminal just needs one person to slip up and transfer thousands of dollars.
Mitchelson added, “It’s the easiest of all the cyber threats to enact upon. And it can be so realistic. When somebody gets into an email account, they’re easily impersonating that user.”
Not measuring the risk
Mitchelson explained that there is a bit of complacency within the cybersecurity initiatives of companies. This is not from a lack of trying to implement solutions and reduce risks, instead it is from measuring the success of the tools they are using. He said, “So they’re doing some due diligence and then there’s a leap of faith to say, great, so this is what we’re going to do.” Many firms just implement the tool and think they’re protected, when they might not be.
A lot of companies complain about phishing attacks getting through, but they don’t even know how many they prevent getting into inboxes or whether the solutions they use even work. Greater transparency of security metrics is needed. Security teams need to know how many phishing emails they get, how many get past defences, how many links are clicked, which domains are accessed and how often employees enter credentials on fake pages, Mitchelson said. By understanding this, security teams can make more informed decisions about their level of threat and their investments into defence. They can then find solutions that are plug the gaps and stop those phishing emails getting into inboxes.
“They’ve got better things to do than spending the time looking at emails, quarantining them and releasing emails. There are much more strategic things that they should be focusing on, but they’re getting bogged down by email.”
A recurring theme Mitchelson sees when talking to people that have experienced a successful BEC attack, is the acknowledgment that they could have done more to prevent it. He added that the narrative needs to change so firms aren’t looking back in hindsight of what they could have done. Instead, they should be thinking more proactively about security, rather than seeing it as a reactive reflex.
A solution that doesn’t miss
A simple reason for why BEC is still such a major problem in the market is because companies are still using solutions that are letting illicit emails through. Even some of the major names in the industry, such as Microsoft and Google, are missing a substantial amount.
Check Point recently analysed 300 million emails and found that while competitors were still letting hundreds of thousands of phishing emails through into inboxes, Check Point was able to stop the vast majority, with only 10,000 phishing emails getting past its defences. Its platform is also much more capable at catching malicious malware, preventing 98.3% of them from getting into inboxes.
Mitchelson stated that many companies are content in solutions that still let through masses of phishing emails simply because of costs. He has met with customers who are happy with the bundled email security services they get from their email provider, just because it is cheaper. Unfortunately, this means companies are relying on tools that might not be doing enough to protect them.
“It would be great to see Google and Microsoft raise their bar at a minimum level so that no matter the subscription tier you get the best level of protection they can give you. Then they can make it clear and give people a choice that if they want to then go further, they can speak to third parties that can reduce that risk further. I think it would be a better place to be.”
Don’t rely on the human defence layer
When people talk about cybersecurity, it is often met with the notion of human layer security. This is a system where companies educate their staff to become more aware of threats and train them to spot a fake email or malicious link.
“I’ll be quite blunt. At the coalface, users do not stop to have a look at links or fully read emails to try and say, ‘could this be a phishing email or not?’ You can educate, educate, and educate, but there are still some cases where people will just interact, and we shouldn’t be apologising for that,” Mitchelson explained. There are some situations where people are going to see an alert from someone claiming to be their CEO or a business partner, and they will just react due to the perceived severity of the request. Alternatively, people might get complacent when coming back from holiday and having to go through a massive backlog of emails.
Instead of relying on the human defence layer, firms need to take a hybrid approach. Mitchelson added, “We want them to spot the really obvious ones, and then put guardrails in place that are going to stop the more advanced attacks. And that’s where the Check Point solution comes in.”
How Check Point ensures greater protection
Mitchelson added that the damage a BEC attack can cause can be substantial, so firms should be looking to reduce the risk to as close to zero as possible. The best way to ensure protection is by layering security, not just relying on one defence. “It’s like everything we do in life. We put locks on houses, and we put alarms on houses as well. We always layer things in life, that’s what we do. We need to do the same thing with security.”
One of the reasons Check Point is able to stop so much more than competitors is because it doesn’t look to replace them. It leverages its patented inline solution that can be embedded directly into services like Microsoft 365 and Gmail as an API. This means it can complement the anti-phishing services of Microsoft, for example, and catch any illicit emails that it misses. This means Check Point can protect more than just email, but the entire collaboration stack, whether that is OneDrive, Microsoft Teams, Slack and many more.
By being directly embedded into an API, it means Check Point can stop a phishing email from even getting into an employee’s mailbox. Mitchelson explained that a lot of other security vendors work by having the email to sit in a mailbox for 80 seconds until it starts a loop to see whether it is a threat and needs to be quarantined. This might not seem like a long time, but it still allows enough time for an employee to see it and act upon it.
Check Point is the only security vendor that is entirely focused on preventative security. It has built and honed its threat intelligence layer over the course of 30 years, making it one of the longest security systems. This layer, which is continuously learning, assesses an email based on a risk score it creates and acts upon it before it arrives in an inbox.
Becoming more proactive with email security seems like a logical move, however, firms are not making that move. Mitchelson argued this is simply because it is hard to get into that mindset and take the time to ensure the technology works. He pointed to the fact that many of the vendors that are protecting infrastructure have critical vulnerabilities in their systems, shown by the level of successful attacks that still happen. What this tells Mitchelson is that a lot of firms are either innovating too quickly that issues slip past, or the quality assurance tests are not good enough. Check Point prides itself on ensuring its system is the best it can be.
“Because everything we do is preventative, we make sure everything is absolutely done right. The QA around everything is done to the nth degree, which means when the products come out, they are not buggy. These products are not rushed and do exactly what you would expect them to do.”
How BEC will evolve over the next few years
As mentioned briefly, AI is becoming a lot more advanced, and this is helping criminals to transform the level of their attacks. Over the coming years, Mitchelson sees AI and API-based attacks becoming a lot more common. He said, “I’ve got a real concern that we’re going to see a massive upsurge in 2023 and 2024 for BEC and most of it will be driven by AI.
With the horizon looking set for a surge in BEC attacks, Mitchelson urged firms to check out what Check Point can do. It offers a 14-day test that lets a firm implement Check Point’s email security system within just seven clicks. When set up in discovery mode, it can show a firm how many phishing emails they receive and place a risk score on them so the client can see the most severe. This then gives a security team something they can show to their board that clearly shows the risk they are facing.
He concluded, “Even if you don’t want to engage and spend the money on Check Point, what I would say is surely you will want to actually test the quality of your systems. Implement Check Point for 14 days, inline and without any performance hit, and it will actually let you see how you’re doing. Use it to actually validate what you’ve got in place and if you’re doing a brilliant job, then great get that promotion from the board. If you’re not doing a great job, your board would want to know.”