Business Email Compromise (BEC) has emerged as a critical concern for organisations, becoming one of the most financially devastating cyber threats in the UK and around the world. This type of sophisticated email fraud has already caused billions of pounds in losses.
As BEC tactics evolve, they pose an increasing challenge not only for cybersecurity professionals but also for employees who are often the first line of defence.
Government reporting on cyber attacks has revealed that 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months (2023/24).
Recognising this, the National Cyber Security Centre has issued new guidance aimed at helping organisations strengthen their defences.
In this article, we explore the nuances of BEC, covering the data and examples, and provide insights into the latest UK recommendations for mitigating this cyber risk.
Business Email Compromise (BEC), or Email Account Compromise (EAC), is a targeted form of phishing attack where criminals use email to deceive employees into transferring funds or divulging sensitive information.
Unlike broad-targeted phishing campaigns, BEC attacks are highly specific and often involve meticulous research to convincingly impersonate trusted individuals or organisations.
BEC attacks can take place in several forms:
What makes BEC especially dangerous is its ability to evade traditional email security measures.
These attacks frequently contain no malicious attachments or links, making them difficult to detect with standard filters.
“The sophisticated nature of BEC attacks means that organisations must adopt a multi-layered approach to email security. It's not just about technology but also about vigilance among staff.”
— Michael Wakefield, CTO, Beyond Encryption
Recent statistics highlight the profound impact of BEC on businesses in the UK and globally:
These figures underscore the pressing need for enhanced defences against BEC attacks in the UK's business landscape.
To truly grasp the threat posed by BEC, let’s explore some notable incidents:
These cases illustrate the diverse tactics used by BEC scammers and the severe financial consequences for their victims.
“BEC attacks are highly targeted and can cause significant financial losses. Companies need to enhance their verification processes, especially when dealing with high-value transactions.”
— Paul Holland, CEO, Beyond Encryption
In light of the growing threat of BEC and other cyber attacks, the UK government has issued updated guidance as part of its Cyber Security Breaches Survey 2024.
This guidance is designed to help organisations strengthen their cyber resilience, particularly against the challenges posed by BEC.
Key elements of the new guidance include:
The survey revealed that 80% of businesses continue to rate cyber security as a high priority, a figure that has remained stable since 2023.
However, there has been a notable decline in the percentage of charities prioritising cyber security, dropping from 82% in 2022 to 63% in 2024.
The new guidance stresses the importance of maintaining a high level of cyber security across all sectors.
The guidance outlines several technical controls that have seen increased adoption among UK businesses:
These improvements mark a reversal of the declining trends observed in previous years, particularly among micro, small, and medium-sized businesses.
The guidance highlights the critical role of employee education in defending against BEC and other cyber threats.
Organisations are encouraged to:
Implementing MFA is strongly recommended as a defence against account compromise, which often precedes BEC attacks.
The guidance advises using MFA for all email accounts, especially those of executives and finance personnel.
Organisations are urged to implement email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to combat email spoofing.
Given the prominence of vendor fraud in BEC attacks, the guidance recommends:
The new guidance underscores the importance of having a robust incident response plan tailored to BEC attacks.
This plan should include:
Organisations are encouraged to perform regular security assessments, such as:
The guidance emphasises the importance of promptly reporting BEC incidents to law enforcement agencies, such as Action Fraud in the UK.
Timely reporting can enhance the chances of recovering stolen funds and assist authorities in tracking and apprehending cybercriminals.
“It's crucial for organisations to report BEC incidents to law enforcement quickly. This not only helps in potentially recovering lost funds but also aids in understanding and mitigating the broader threat landscape.”
— Adam Byford, CCO, Beyond Encryption
While the new UK guidance provides a comprehensive framework for countering BEC attacks, implementing these measures can pose challenges for many organisations.
Here are some best practices for effectively adopting the new guidance:
Successful implementation of cyber security measures requires the support of top management. To achieve this:
The guidance recognises that organisations of different sizes face unique challenges. Small and medium-sized enterprises (SMEs) may need to:
Given that BEC attacks often exploit human psychology, organisations should:
While human awareness is crucial, technology also plays a vital role in defending against BEC:
The cyber threat landscape is constantly evolving, and so must an organisation's defences:
For professionals in regulated sectors, such as finance, healthcare, and legal services, the new UK guidance for BEC defence needs to be integrated into existing compliance frameworks.
The Financial Conduct Authority (FCA) mandates firms to implement robust cyber security measures to protect sensitive financial data and maintain market integrity.
BEC guidance should align with FCA's cyber resilience standards and be incorporated into firms' operational risk assessments.
The National Health Service (NHS) and other healthcare providers must comply with the Data Protection Act and GDPR regulations to safeguard patient data.
Implementing the recommended BEC defences can help healthcare organisations prevent unauthorised access to personal health information.
Law firms dealing with sensitive client information must adhere to the Solicitors Regulation Authority's (SRA) Code of Conduct.
Integrating BEC defences can enhance the security of client communications and financial transactions.
Compliance teams should collaborate with IT and security departments to make sure that BEC mitigation strategies meet both regulatory requirements and organisational risk management goals.
Securing email threads between you and your customers is a critical step in defending against Business Email Compromise (BEC).
Secure email solutions with end-to-end encryption and multi-factor authentication (MFA) make it incredibly difficult for cybercriminals to impersonate either party.
Here’s how these measures enhance security:
End-to-End Encryption: Encrypting both messages and attachments ensures that sensitive information remains protected during transit, making it inaccessible to unauthorised parties.
This means that threat actors are unable to pry on communications to understand how to impersonate a legitimate party.
Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security. Methods such as SMS challenges and custom question-and-answer prompts verify the recipient's identity.
This prevents cyber criminals from impersonating either party as it makes sure that only intended recipients can access email content.
These practices not only protect sensitive information but also build trust by ensuring that email threads are secure and verified, making it difficult for anyone to fraudulently impersonate either party.
Adopting such measures is essential in mitigating the risks associated with BEC and maintaining the integrity of your business communications.
Business Email Compromise (BEC) represents a significant and evolving threat to UK organisations of all sizes.
The financial and reputational damage caused by successful BEC attacks highlights the urgent need for robust defences.
The new UK guidance provides a comprehensive framework for organisations to strengthen their resilience against these sophisticated cyber threats.
Key takeaways from the new guidance include:
It's crucial to remember that cyber security is an ongoing process, not a one-time implementation.
Continuous improvement, regular assessments, and a culture of security awareness are essential for long-term protection against the ever-evolving landscape of email fraud.
With the new UK guidance as a foundation, organisations have a clear roadmap for strengthening their defences and protecting their assets from this pervasive cyber threat.
UK Cyber Security Statistics for 2024, Agility Cyber, 2024
Business Email Compromise Examples, Tessian, 2024
Defending Your Business from Email Compromise, Brearley & Co, 2024
The Cost of a Data Breach, IBM, 2023
Franco-Israeli Gang Linked to $40 Million CEO Scam, HackRead, 2023
NCSC Blog on BEC Guidance, NCSC, 2024
NCSC Guidance on Defending Against BEC, NCSC, 2024
Business Email Compromise: The $43 Billion Scam, FBI, 2022
Toyota Parts Supplier Hit By $37 Million Email Scam, Forbes, 2019
Internet Crime Report, FBI, 2021
Cyber Security Breaches Survey 2024, Gov.uk, 2024
Business Email Compromise, Mesh Security, 2024
The Latest Phishing Statistics, AAG IT Services, 2024
Protect Against BEC Scams, Sentio Insurance, 2024
How to Defend Your Business from Email Compromise, Ross-Brooke, 2024
Real-World Business Email Compromise Scams, Proofpoint, 2024
NCSC's New Guidance on BEC, 4th Platform, 2024
UK NCSC Guidance on BEC, DataGuidance, 2024
Ubiquiti Networks victim of $39 million attack, CSO Online, 2015
Man pleads guilty to stealing 1,000 manuscripts, The Guardian, 2023
Sam Kendall, 02.07.24
Sabrina McClune, 02.07.24