Dealing with business email compromise (BEC) requires people, process, and technology. As we've noted before, the problem is growing. Harder to detect and evolving in sophistication, phishing attacks are on the rise. Add in social engineering and businesses can be more vulnerable than they realize.
One practice organizations might consider is Domain Message Authentication Reporting and Conformance (DMARC), which confirms sender identity and can impede fraud by making it more difficult to carry out domain spoofing attacks.
This report comes from Australia, but similar stories can be told elsewhere. Over one third of fraud attacks on Australian businesses lead to loss of funds to cyber criminals. Financial risks are high with Australian businesses paying the price for BEC to the tune of $20 million between 2016 and 2017 making this far more than just an IT issue. And employees are directly at risk, too: one in four attacks results in someone's termination.
More than 61 percent of companies listed on the ASX 100 are not protected by DMARC, leaving Australia’s largest companies vulnerable. Attacks on financial service companies in particular are increasing. 25% of the financial sector companies in the ASX 100 have begun deploying DMARC, including four of the top five commercial banks, which is a step in the right direction.
Law, regulation, and standards have begun to push DMARC adoption. In Australia DMARC is not required by law, but it is recommended in the Australian government's "Malicious Email Mitigation Strategies" guide. Other countries have varying degrees of DMARC regulations. The US Department of Homeland Security, for example, requires such authentication in all civilian Federal agencies.
DMARC can help verify emails before they can do any damage, but as always fraud prevention is a complex challenge and requires a multi-layered response involving people, process, and technology. In that response, don't neglect training: the best-conceived processes won't help if employees don't understand them, and cutting-edge technology won't help if it's not deployed and used intelligently. Awareness is fundamental to security, and sound, interactive training can help instill it.
IT Brief has the story: https://www.itwire.com/security/84225-asx100-lags-on-implementing-protection-against-email-spoofing.html and also: https://www.itwire.com/security/79640-top-australian-firms-vulnerable-to-domain-spoofing-claim.html