UK Cybersecurity Org Offers Advice for Thwarting BEC Attacks

23/05/2024 16:03 - By Bill

Written by Stu Sjouwerman

The UK’s National Cyber Security Centre (NCSC) has issued guidance to help medium-sized organisations defend themselves against business email compromise (BEC) attacks, especially those targeting senior staff members.

The NCSC says employees should be cautious about the type of personal information they post on the internet, since criminals can use this knowledge to make their attacks more convincing.

“If there is information about senior staff on work and private websites, including social media accounts and networking sites, criminals can use this to make their phishing emails appear more convincing,” the advisory says.

“This information, freely available on the internet, is known as a ‘digital footprint’. Without this information, the phishing emails used to conduct BEC should be easier to spot as fraudulent. All staff, but especially senior executives who have access to valuable assets or information, should review their privacy settings on their social media accounts, and think about what they post in order to reduce their digital footprint.”

The NCSC stresses that BEC attacks are more targeted than most phishing emails, and are more likely to bypass technical security measures.

“Since BEC emails are normally sent in low volume, standard email filters (designed to identify ‘scam emails’) may struggle to detect them, especially if they come from a legitimate email account that has already been hacked,” the advisory says.

“Alternatively, a BEC email may have been sent from a ‘spoofed’ domain, designed to trick users that they are dealing with a legitimate organisation. Some BEC emails may contain viruses disguised as invoices, which are activated when opened.”

The NCSC says users should be on the lookout for the following red flags associated with BEC attacks:

    • “Think about your usual working practices around financial transactions. If you get an email from an organisation you don't do business with, treat it with suspicion
    • Look out for emails that appear to come from a senior person within your organisation, requesting a payment to a particular account. Look at the sender's name and email address. Does it sound legitimate, or is it trying to mimic someone you know
    • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of phrases like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately.'"

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organisations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.security culture and reduce human risk.

The NCSC has the story.

Other NSCS resources on BEC;

Business email compromise: new guidance to protect your organisation

Business email compromise Dealing with targeted phishing emails Graphic

Start Your Free Phishing Security Test

Find out what percentage of your employees are Phish-prone
Did you know that 91% of successful data breaches started with a spear phishing attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!

IT pros have realised that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defence: USERS

Why? If you don't do it yourself, the bad guys will.

Here's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customise the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page 
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organisation compares to others in your industry
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. Fill out the form, and get started immediately!
Try It Now!

Bill

Tags :
Categories :