Why Stopping Business Email Compromise (BEC) Needs To Be A Priority For MSPs

Cyber Security Ransomware Phishing Encrypted Technology

Phishing attacks are taking aim at MSPs and their clients every day. With a birds-eye view of the global threat through our Phishing Defense Center, global data shows threat actors rapidly adjust their tactics and methods to capitalize on world events and human vulnerabilities. When it comes to Business Email Compromise (BEC), threat actors target organizations of all sizes and types, and managed service providers need to know how to better protect themselves and their customers. MSPs need to be able to provide a proven email security defense against BEC to differentiate themselves in the marketplace.

A rise in Business Email Compromise attacks

The story of BEC is rooted by becoming an imposter, and that’s often done by stealing credentials. The way in is almost always credential theft. During 2021, data showed a 10-percentage point increase in credential phishing attacks related directly to cloud services. Now over 60% of phishing attacks globally are credential phish.

The FBI Internet Crime Report puts the cost at $1.77 billion a year for BEC. And the “exposed dollar loss” over the last 5 years is a staggering $43 billion. Why are these losses so large given the investments in cybersecurity technology around the world?

Examples of BEC go beyond the CEO asking employees to buy gift cards. While that still happens, today’s attacks include fake invoices and brand logos that are pixel-perfect and not easy to detect by busy humans. And once an email account is compromised through a credential phishing attack, and auto-forwarding set up by the attacker, then no amount of password reset will fix the problem.

BEC attacks are difficult to detect because there are often no flagged keywords and no malware for traditional email security to catch. BEC attacks are conversation based. What is needed is a combination of technology and human conditioning to combat credential phishing.

Only artificial intelligence (AI), such as computer vision, can inspect the logos and compare them to the ultimate destination URL. And, specifically for BEC, the ability to know who is in the organization and who is not is key. Together, these signals give technology more data points to determine if an email is a phish. Offering this capability, in addition to a technology solution which detects BEC and credential phishing attacks in real-time, and then deactivates the malicious links so they are no longer a threat, can set your MSP apart from the crowd

Process and Training are King.

The 2022 Annual State of Phishing Report shows an increased susceptibility to BEC as threats have become more sophisticated. And humans benefit greatly from training and become more resilient to attack when an effective Security Awareness and Training regimen exists.

Mitigating many types of BEC attacks can be as simple as reviewing your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.

MSPs should adopt these processes, and help educate their clients adopt them to protect against BEC:

  • Review your financial processes and procedures
  • Define how wire transfers, gift card purchases, and direct deposit requests work
  • Maintain a list of known and trusted phone numbers to verify wire transfer requests.
  • Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
  • Establish a gift card purchasing process. If no one needs to purchase gift cards for the company, then no one purchases gift cards.
  • Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship.

Finally, your human clients are a great asset in preventing attacks if they are well trained and conditioned to look at the right elements of an email. The most effective programs deliver phishing simulations and security courses during the months of the year on a regular cadence. By offering real-time email security and user training together in one package, MSPs have an opportunity to present a strong email security brand, distinguishing themselves from other MSPs in the marketplace.

Stay up to date on the latest tactics and techniques that threat actors are using to bypass traditional email security solutions including credential theft, business email compromise and more with our Annual State of Phishing Report and webinar series.

Author Rich Keith is senior product marketing manager at Cofense. Read more Cofense guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.