Per the StatesScoop article on 11 August, a public school system in New Haven, Connecticut, was the latest victim of a business email compromise (BEC), resulting in $ 5.9 M being lost to cyber criminals. Of the $ 5.9 M, $ 3.6 M has been recovered.

Originally published in the New York Times, the cybercriminals gained access to the email account of the school system’s chief operating officer in May and monitored conversations between the COO, vendors, and the city’s finance office. The criminal then impersonated the COO and vendors to request payments to fraudulent bank accounts. Six payments totaling $ 5.9 M were sent to fraudulent accounts in June. Shall we dare say they have “enough” to support a cybersecurity budget (I’m asking for a friend)?

What is a BEC?
Business email compromise (BEC) is a specific type of phishing attack, called spear phishing, in which the objective is to trick employees into taking harmful actions, typically sending money to the attacker.

Why is protecting against BEC important to my organization?
What organization wants to pay out millions of dollars to a fictitious account, based on a fictitious purchase order, under a fictitious directive/order? No one does. Per the FBI in 2022, $2.7B (Billion) is what BECs cost organizations. That $2.7B represented a 14% year-over-year increase in losses.

What should an organization do to combat BEC?
Here are four actions an organization can take to mitigate BEC attacks.

1. Beware of the common BEC attack scenarios: False sense of urgency. Cybercriminals often rely on a false sense of urgency and secrecy. Trick domain name. Make it a common practice to look at the domain names on all emails. Attackers exploit the victim’s lack of attention to detail. Impersonation of a vendor. Be mindful of every invoice sent. Always verify the payment intervals are consistent and that banking information is what’s on file.
2. Train employees to recognize BEC attacks. Adequate cybersecurity training is a must for any organization. The training and organization’s culture should focus on the risk and implications of such attacks. The training must also include what to do when an employee has identified a potential BEC attack.
3. Create a culture of compliance. While training is key, it is not the be-all and end-all. As cybercriminals evolve, the training likely does not evolve as rapidly. A culture of compliance is vital to maintaining lower risk levels of BEC attacks. BEC attacks target mid-level personnel who are not accustomed to communicating with senior leaders, vendors, etc., and this may result in the personnel not feeling comfortable personally authenticating a transaction.
4. Layered Defense of Technical Controls. The use of IT controls like multifactor authentication (MFA) and virtual private networks (VPNs) significantly reduces the chances of a BEC attack.

Contact us if your organization has questions or needs support implementing mitigations or other cybersecurity practices. Our team of cyber professionals is prepared to support you.