UK Cybersecurity Org Offers Advice for Thwarting BEC Attacks

New BEC Phishing Attack Bypassing MFAThe UK’s National Cyber Security Centre (NCSC) has issued guidance to help medium-sized organizations defend themselves against business email compromise (BEC) attacks, especially those targeting senior staff members.

The NCSC says employees should be cautious about the type of personal information they post on the internet, since criminals can use this knowledge to make their attacks more convincing.

“If there is information about senior staff on work and private websites, including social media accounts and networking sites, criminals can use this to make their phishing emails appear more convincing,” the advisory says.

“This information, freely available on the internet, is known as a ‘digital footprint’. Without this information, the phishing emails used to conduct BEC should be easier to spot as fraudulent. All staff, but especially senior executives who have access to valuable assets or information, should review their privacy settings on their social media accounts, and think about what they post in order to reduce their digital footprint.”

The NCSC stresses that BEC attacks are more targeted than most phishing emails, and are more likely to bypass technical security measures.

“Since BEC emails are normally sent in low volume, standard email filters (designed to identify ‘scam emails’) may struggle to detect them, especially if they come from a legitimate email account that has already been hacked,” the advisory says.

“Alternatively, a BEC email may have been sent from a ‘spoofed’ domain, designed to trick users that they are dealing with a legitimate organisation. Some BEC emails may contain viruses disguised as invoices, which are activated when opened.”

The NCSC says users should be on the lookout for the following red flags associated with BEC attacks:

  • “Think about your usual working practices around financial transactions. If you get an email from an organisation you don't do business with, treat it with suspicion
  • Look out for emails that appear to come from a senior person within your organisation, requesting a payment to a particular account. Look at the sender's name and email address. Does it sound legitimate, or is it trying to mimic someone you know
  • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of phrases like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately.'"

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

The NCSC has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews