Employee training: Educate your employees about BEC attacks, focusing on how to identify suspicious requests. For example, urgent or unexpected requests for financial transactions, or from senior executives not usually directly involved in such transactions. Initiate simulated BEC attacks to find weak points and employees, and use them as a teachable experience.
Email protection: Use a secure, end-to-end encrypted, MFA enabled email service. Implement robust email filtering systems to detect and block potential attacks. Keep your email servers, operating systems, and applications up to date with the latest security patches. Vulnerabilities in software can be exploited by attackers, so prompt updates are essential. Conduct periodic security audits and penetration testing to identify vulnerabilities in your organization’s email infrastructure and systems.
Identification: Require digital signatures for all correspondence regarding payments or bank account detail changes.
Out of band verification: Establish a standard verification process for financial requests received via email, such as confirming requests through another communication channel or contacting the person directly. Always verify unusual or high-risk requests.
Procedures: Establish strict procedures for payments and money transfers. Notify your suppliers and bank.
Alerts: Set alerts for suspicious transactions, such as new or unfamiliar recipients, changed bank account details, abnormal or inflated sums, unusually high volumes, etc.
Response plan: Develop an incident response plan specific to BEC attacks. Outline the steps to take if an attack occurs, including reporting the incident, voiding the transaction if possible, isolating affected systems, and communicating with stakeholders.
Notify: Alert the relevant parties within the company, starting with management, finance, and IT. Make sure they alert you to any new suspicious activity.
Mitigate: Commence initial emergency steps to prevent further fund stealing. If necessary, revoke money transfer privileges. Harden payment controls, like mandating upcoming transactions go manually through the CFO or their confidant.
Email cleanup: Reset email passwords and mandate MFA. Check and delete email rules and filters that may have been created and used by the hacker, and set alerts for any new rules and filters going forward, possibly blocking them or requiring them to be approved by a manager.
Investigate: Commence a digital forensic investigation to determine whether the attack has indeed occurred, and that it wasn’t an employee mistake or malice. Assess the scope and spread of the incident inside the organization, documenting the entire process and evidence. Review activity logs, search emails for suspicious activity, interview employees – especially those with admin or fund privileges, about other suspicious activities, and analyze any changes of rules and configuration in the email systems.
Hacker behavior: Find the attack surface and vector – employee, contractor, security breach, malware, etc. Identify when the attacker entered the email system, how they entered, and what they have been doing inside, to determine whether they compromised just this account, several accounts, or the entire email system.
Supplier data: Ask supplier for the original email, to see what the bank account details are, and then to see whether that bank account information appears anywhere else in the email system as a way to measure attack scope.
Bank involvement: Inform the bank that cleared the transaction, and other relevant payment service providers, about the attack and the changes to your payment procedures. Determine the likelihood of repeating BEC attacks and take steps to mitigate likelihood by contacting payment partners and banks that clear transactions. Ask the bank to harden payment controls.
Assess financial damages: Determine the extent of the financial impact resulting directly and indirectly from the BEC attack. Coordinate with your finance department and consider involving law enforcement, your bank, and your insurance company as necessary.
Dr. Nimrod Kozlovski is Partner & Co-Founder, Cytactic