Business Email Compromise (BEC) is a type of social engineering attack that has been around for quite some time, with over a 100% increase within recent years. Particularly with so many people working from home during the pandemic, the FBI has warned that organizations will continue to see a drastic increase in BEC cases which potentially could cost your organization millions. In this post, we’ll talk about how using RiskLens and FAIR to quantify BEC scams could help save your organization from potential loss.
What is Business Email Compromise?
According to the FBI, Business Email Compromise starts with a criminal sending an email that appears to come from a legitimate source with a legitimate request. These types of attacks can occur through different means, but the most common are related to social engineering email attacks and spear phishing or man-in-the-middle phishing attacks. The cyber-criminal usually is hoping for financial gain or to gain information for use against an organization or an employee.
Even though email is the most common means of communication for this type of attack, there are different ways criminals use email to conduct BEC scams. According to the FBI, there are five specific types of BEC scams that most commonly affect organizations:
Learn more about BEC through the FBI’s Internet Crime Report.
Quantifying Business Email Compromises with FAIR™ and RiskLens
In 2019, the FBI’s Internet Crime Complaint Center (IC3), recorded over 20,000 complaints regarding BEC with an estimated loss of $1.7 billion across multiple industries. There’s no question that your organization is at risk; the questions are, what’s your probable loss exposure and what’s the appropriate level of security investment? FAIR analysis, the international standard for quantifying cyber risk in financial terms, run through the RiskLens platform, can give you the answers.
Let’s walk through the analysis of a BEC risk scenario. I’ve picked a common one that I experienced as a Threat Intelligence Analyst. I’ve gone ahead and identified the asset, threat and effect below along with a loss statement.
Asset: Accounting Application
Threat: External Malicious Actor
Loss Statement: Assess the risk associated to an external malicious actor convincing a privileged insider via social engineering to alter vendor payment data in the accounting application.
Frequency: How often do we expect an external malicious actor to attempt to convince a privileged insider to alter vendor payment data in our accounting application via social engineering?
Magnitude: How much financial loss do we expect to experience each time this event occurs?
Below is an example attack chain which is a simple way to demonstrate how an external malicious actor will attempt to use an insider to alter data in accounting applications.
Figure 1: Example Attack Chain
Utilizing an attack chain is extremely helpful to clearly articulate how you suspect the event to unfold when speaking to SMEs and gathering data. Some questions to consider during this stage are:
Once the email is in the employee’s inbox, is there anything that would prevent the employee from successfully altering data? Separation of duty controls where each part of the process to alter data and confirm recipient is signed off by different individuals, may offer a level of protection
Event Magnitude (Financial Loss)
We consider these likely ways that loss would occur:
We derive the values for these losses by answering questions in interactive workshops on the RiskLens platform
Current State of Financial Risk
With data in hand, we can run an analysis on the platform showing our current level of probable loss exposure from Business Email Compromise.
Figure 2: Example Reporting
The reporting shows financial loss exposure on both an annual and per event basis; as well as showing how likely an event is to occur.
Please note: the results above are for example purposes only and are not meant to represent the scoped scenario for BEC.
Evaluating Risk Reduction Alternatives for BEC
Below are some examples of potential risk reduction options we can consider, determining how they will effect risk by reducing event frequency or loss magnitude.
Figure 3: Comparison Reporting
Using the RiskLens platform, we can run “What If” analyses to change one or more of your inputs and evaluate the resulting change in loss exposure, showing effect of controls against the baseline in annualized loss exposure.
With quantitative analysis, we can get ahead of the threat actors, take reasonable cost-effective steps to keep BEC risk within tolerance levels and balance our spending across the security budget based on a solid understanding of cyber risk in financial terms.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.Schedule a Demo