The UK’s National Cyber Security Centre (NCSC) has issued guidance to help medium-sized organizations defend themselves against business email compromise (BEC) attacks, especially those targeting senior staff members.
The NCSC says employees should be cautious about the type of personal information they post on the internet, since criminals can use this knowledge to make their attacks more convincing.
“If there is information about senior staff on work and private websites, including social media accounts and networking sites, criminals can use this to make their phishing emails appear more convincing,” the advisory says.
“This information, freely available on the internet, is known as a ‘digital footprint’. Without this information, the phishing emails used to conduct BEC should be easier to spot as fraudulent. All staff, but especially senior executives who have access to valuable assets or information, should review their privacy settings on their social media accounts, and think about what they post in order to reduce their digital footprint.”
The NCSC stresses that BEC attacks are more targeted than most phishing emails, and are more likely to bypass technical security measures.
“Since BEC emails are normally sent in low volume, standard email filters (designed to identify ‘scam emails’) may struggle to detect them, especially if they come from a legitimate email account that has already been hacked,” the advisory says.
“Alternatively, a BEC email may have been sent from a ‘spoofed’ domain, designed to trick users that they are dealing with a legitimate organisation. Some BEC emails may contain viruses disguised as invoices, which are activated when opened.”
The NCSC says users should be on the lookout for the following red flags associated with BEC attacks:
- “Think about your usual working practices around financial transactions. If you get an email from an organisation you don't do business with, treat it with suspicion
- Look out for emails that appear to come from a senior person within your organisation, requesting a payment to a particular account. Look at the sender's name and email address. Does it sound legitimate, or is it trying to mimic someone you know
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of phrases like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately.'"
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
The NCSC has the story.
Here's how it works:
