Business Email Compromise: The New UK Guidance

Business Email Compromise (BEC) has emerged as a critical concern for organisations, becoming one of the most financially devastating cyber threats in the UK and around the world. This type of sophisticated email fraud has already caused billions of pounds in losses.

As BEC tactics evolve, they pose an increasing challenge not only for cybersecurity professionals but also for employees who are often the first line of defence.

Government reporting on cyber attacks has revealed that 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months (2023/24).

Recognising this, the National Cyber Security Centre has issued new guidance aimed at helping organisations strengthen their defences.

In this article, we explore the nuances of BEC, covering the data and examples, and provide insights into the latest UK recommendations for mitigating this cyber risk.

Understanding Business Email Compromise

Business Email Compromise (BEC), or Email Account Compromise (EAC), is a targeted form of phishing attack where criminals use email to deceive employees into transferring funds or divulging sensitive information.

Unlike broad-targeted phishing campaigns, BEC attacks are highly specific and often involve meticulous research to convincingly impersonate trusted individuals or organisations.

BEC Attack Forms

BEC attacks can take place in several forms:

• Executive Impersonation: Attackers pose as high-ranking executives, requesting urgent wire transfers or access to confidential data.
• Vendor Fraud: Criminals impersonate legitimate suppliers, requesting changes to payment details.
• Data Theft: Attackers seek to obtain sensitive information such as employee tax forms or customer data.
• Legal Impersonation: Scammers pose as lawyers or legal representatives, often citing urgent, confidential matters.

What makes BEC especially dangerous is its ability to evade traditional email security measures.

These attacks frequently contain no malicious attachments or links, making them difficult to detect with standard filters.

“The sophisticated nature of BEC attacks means that organisations must adopt a multi-layered approach to email security. It's not just about technology but also about vigilance among staff.”

— Michael Wakefield, CTO, Beyond Encryption

The Scale Of The Problem

Recent statistics highlight the profound impact of BEC on businesses in the UK and globally:

• Global Losses: The FBI reports that losses from BEC or EAC (email account compromise) have surpassed $43 billion globally.
• Impact in the UK: According to the Cyber Security Breaches Survey 2024, 83% of UK businesses that suffered a cyber attack in 2022 identified phishing as the cause. While this encompasses various forms of phishing, BEC is a significant component.
• Growing Threat: Losses from BEC attacks increased by 65% between July 2019 and December 2021.
• Widespread Issue: In 2021, the FBI's Internet Crime Complaint Center (IC3) received 19,954 BEC/EAC email complaints.
• Cost of Breaches: The average cost of a data breach is over $4.45 million, with BEC being a leading cause.

These figures underscore the pressing need for enhanced defences against BEC attacks in the UK's business landscape.

Real-World Examples Of BEC Attacks

To truly grasp the threat posed by BEC, let’s explore some notable incidents:

• Facebook and Google: These tech giants were defrauded of more than $100 million by a Lithuanian man impersonating a legitimate hardware vendor.
• Ubiquiti Networks: The networking company fell victim to a $46.7 million vendor fraud scheme in 2015.
• Toyota: In 2019, Toyota Boshoku Corporation lost $37 million to a BEC attack.
• Manuscript Theft: Filippo Bernardini, an employee at Simon & Schuster's UK operation, impersonated various publishing industry professionals to steal over 1,000 unpublished manuscripts.
• Real Estate Fraud: A Paris-based real estate developer, Sefri-Cime, lost €38 million in a BEC scam orchestrated by an international fraud gang.

These cases illustrate the diverse tactics used by BEC scammers and the severe financial consequences for their victims.

“BEC attacks are highly targeted and can cause significant financial losses. Companies need to enhance their verification processes, especially when dealing with high-value transactions.”
— Paul Holland, CEO, Beyond Encryption

The New UK Guidance

In light of the growing threat of BEC and other cyber attacks, the UK government has issued updated guidance as part of its Cyber Security Breaches Survey 2024.

This guidance is designed to help organisations strengthen their cyber resilience, particularly against the challenges posed by BEC.

Key elements of the new guidance include:

1. Prioritising Cyber Security

The survey revealed that 80% of businesses continue to rate cyber security as a high priority, a figure that has remained stable since 2023.

However, there has been a notable decline in the percentage of charities prioritising cyber security, dropping from 82% in 2022 to 63% in 2024.

The new guidance stresses the importance of maintaining a high level of cyber security across all sectors.

2. Implementing Technical Controls

The guidance outlines several technical controls that have seen increased adoption among UK businesses:

• 83% now use up-to-date malware protection, up from 76% in the previous year.
• The adoption of admin right restrictions has grown from 67% to 73%.
• Usage of network firewalls has increased from 66% to 75%.
• The implementation of agreed processes for phishing emails has risen from 48% to 54%.

These improvements mark a reversal of the declining trends observed in previous years, particularly among micro, small, and medium-sized businesses.

3. Staff Training and Awareness

The guidance highlights the critical role of employee education in defending against BEC and other cyber threats.

Organisations are encouraged to:

• Provide regular cyber security training to all staff.
• Conduct simulated phishing exercises to enhance employee awareness.
• Develop clear policies for handling suspicious emails and financial requests.

4. Multi-Factor Authentication (MFA)

Implementing MFA is strongly recommended as a defence against account compromise, which often precedes BEC attacks.

The guidance advises using MFA for all email accounts, especially those of executives and finance personnel.

5. Email Authentication Protocols

Organisations are urged to implement email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to combat email spoofing.

6. Vendor Management

Given the prominence of vendor fraud in BEC attacks, the guidance recommends:

• Implementing strict verification procedures for changes to vendor payment details.
• Establishing separate communication channels for confirming significant financial transactions.
• Regularly reviewing and auditing vendor relationships and payment processes.

7. Incident Response Planning

The new guidance underscores the importance of having a robust incident response plan tailored to BEC attacks.

This plan should include:

• Clear procedures for reporting suspected BEC attempts.
• Steps for quickly freezing or reversing fraudulent transactions.
• Communication protocols for notifying relevant stakeholders, including law enforcement.

8. Regular Security Assessments

Organisations are encouraged to perform regular security assessments, such as:

• Conducting vulnerability scans and penetration testing.
• Reviewing email security configurations and policies.
• Assessing employee awareness and adherence to security protocols.

9. Collaboration With Law Enforcement

The guidance emphasises the importance of promptly reporting BEC incidents to law enforcement agencies, such as Action Fraud in the UK.

Timely reporting can enhance the chances of recovering stolen funds and assist authorities in tracking and apprehending cybercriminals.

“It's crucial for organisations to report BEC incidents to law enforcement quickly. This not only helps in potentially recovering lost funds but also aids in understanding and mitigating the broader threat landscape.”
— Adam Byford, CCO, Beyond Encryption

Implementing The New Guidance: Challenges And Best Practices

While the new UK guidance provides a comprehensive framework for countering BEC attacks, implementing these measures can pose challenges for many organisations.

Here are some best practices for effectively adopting the new guidance:

1. Secure Leadership Buy-In

Successful implementation of cyber security measures requires the support of top management. To achieve this:

• Present clear data on the financial risks of BEC attacks.
• Highlight potential reputational damage from successful attacks.
• Demonstrate the return on investment for cyber security measures.

2. Tailor Solutions to Organisational Size

The guidance recognises that organisations of different sizes face unique challenges. Small and medium-sized enterprises (SMEs) may need to:

• Focus on cost-effective solutions that provide robust protection.
• Consider outsourcing certain security functions to managed service providers.
• Prioritise essential controls and gradually implement more advanced measures.

3. Address The Human Factor

Given that BEC attacks often exploit human psychology, organisations should:

• Foster a culture of security awareness through regular training and communication.
• Implement clear policies for handling financial requests and sensitive information.
• Encourage a questioning attitude among employees when faced with unusual requests.

4. Leverage Technology

While human awareness is crucial, technology also plays a vital role in defending against BEC:

• Implement email security solutions to detect BEC attempts and to enable highly sensitive communications.
• Use email filtering systems to identify and quarantine suspicious messages.
• Deploy endpoint detection and response (EDR) solutions to monitor for unusual activity.

5. Continuously Refine

The cyber threat landscape is constantly evolving, and so must an organisation's defences:

• Regularly review and update security policies and procedures.
• Stay informed about new BEC tactics and adjust defences accordingly.
• Conduct post-incident reviews to identify areas for improvement.

Compliance With Existing Regulations

For professionals in regulated sectors, such as finance, healthcare, and legal services, the new UK guidance for BEC defence needs to be integrated into existing compliance frameworks.

Financial Services

The Financial Conduct Authority (FCA) mandates firms to implement robust cyber security measures to protect sensitive financial data and maintain market integrity.

BEC guidance should align with FCA's cyber resilience standards and be incorporated into firms' operational risk assessments.

Healthcare

The National Health Service (NHS) and other healthcare providers must comply with the Data Protection Act and GDPR regulations to safeguard patient data.

Implementing the recommended BEC defences can help healthcare organisations prevent unauthorised access to personal health information.

Legal Services

Law firms dealing with sensitive client information must adhere to the Solicitors Regulation Authority's (SRA) Code of Conduct.

Integrating BEC defences can enhance the security of client communications and financial transactions.

Compliance teams should collaborate with IT and security departments to make sure that BEC mitigation strategies meet both regulatory requirements and organisational risk management goals.

Securing Email Threads to Prevent Impersonation

Securing email threads between you and your customers is a critical step in defending against Business Email Compromise (BEC).

Secure email solutions with end-to-end encryption and multi-factor authentication (MFA) make it incredibly difficult for cybercriminals to impersonate either party.

Here’s how these measures enhance security:

End-to-End Encryption: Encrypting both messages and attachments ensures that sensitive information remains protected during transit, making it inaccessible to unauthorised parties.

This means that threat actors are unable to pry on communications to understand how to impersonate a legitimate party.

Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security. Methods such as SMS challenges and custom question-and-answer prompts verify the recipient's identity.

This prevents cyber criminals from impersonating either party as it makes sure that only intended recipients can access email content.

These practices not only protect sensitive information but also build trust by ensuring that email threads are secure and verified, making it difficult for anyone to fraudulently impersonate either party.

Adopting such measures is essential in mitigating the risks associated with BEC and maintaining the integrity of your business communications.

Key Takeaways

Business Email Compromise (BEC) represents a significant and evolving threat to UK organisations of all sizes.

The financial and reputational damage caused by successful BEC attacks highlights the urgent need for robust defences.

The new UK guidance provides a comprehensive framework for organisations to strengthen their resilience against these sophisticated cyber threats.

Key takeaways from the new guidance include:

• Prioritising cyber security at all levels of the organisation.
• Implementing and maintaining essential technical controls.
• Focusing on staff training and awareness.
• Adopting multi-factor authentication and email authentication.
• Developing strong vendor management practices.
• Creating and regularly testing incident response plans.
• Leveraging AI and advanced technologies to enhance email security.

It's crucial to remember that cyber security is an ongoing process, not a one-time implementation.

Continuous improvement, regular assessments, and a culture of security awareness are essential for long-term protection against the ever-evolving landscape of email fraud.

With the new UK guidance as a foundation, organisations have a clear roadmap for strengthening their defences and protecting their assets from this pervasive cyber threat.

References:

UK Cyber Security Statistics for 2024, Agility Cyber, 2024

Business Email Compromise Examples, Tessian, 2024

Defending Your Business from Email Compromise, Brearley & Co, 2024

The Cost of a Data Breach, IBM, 2023

Franco-Israeli Gang Linked to $40 Million CEO Scam, HackRead, 2023

NCSC Blog on BEC Guidance, NCSC, 2024

NCSC Guidance on Defending Against BEC, NCSC, 2024

Business Email Compromise: The $43 Billion Scam, FBI, 2022

Toyota Parts Supplier Hit By $37 Million Email Scam, Forbes, 2019

Internet Crime Report, FBI, 2021

Cyber Security Breaches Survey 2024, Gov.uk, 2024

Business Email Compromise, Mesh Security, 2024

The Latest Phishing Statistics, AAG IT Services, 2024

Protect Against BEC Scams, Sentio Insurance, 2024

How to Defend Your Business from Email Compromise, Ross-Brooke, 2024

Real-World Business Email Compromise Scams, Proofpoint, 2024

NCSC's New Guidance on BEC, 4th Platform, 2024

UK NCSC Guidance on BEC, DataGuidance, 2024

Ubiquiti Networks victim of $39 million attack, CSO Online, 2015

Man pleads guilty to stealing 1,000 manuscripts, The Guardian, 2023

Reviewed By:

Sam Kendall, 02.07.24

Sabrina McClune, 02.07.24