What is Business Email Compromise?
Business Email Compromise (BEC) is a type of social engineering attack that, according to the FBI, starts with a criminal sending an email that appears to come from a legitimate source with a legitimate request. BEC attacks can occur through different means, but the most common are related to social engineering email attacks and spear phishing or man-in-the-middle phishing attacks. The cyber-criminal usually is trying to get money or information for use against an organization or an employee.
Even though email is the most common means of communication for this type of attack, there are different ways criminals use email to conduct BEC scams. According to the FBI, there are five types of BEC scams that most commonly affect organizations:
Learn more about BEC attacks through the FBI’s Internet Crime Report.
In 2021, the FBI’s Internet Crime Complaint Center (IC3), recordedr 847,376 complaints regarding BEC with a potential loss of more than $6.9 billion across multiple industries.
There’s no question that your organization is at risk; if your organization uses email, it has some level of email security risk. The questions are, “What’s your probable loss exposure?” and “What’s the appropriate level of security investment?” Factor Analysis of Information Risk (FAIR) analysis, the international standard for quantifying cyber risk in financial terms, run through the RiskLens platform, can give you the answers.
Let’s walk through the analysis of a BEC risk scenario. We’ve picked a common one that we’veexperienced in Threat Intelligence Analyst. We’ve gone ahead and identified the asset, threat, and effect below along with a loss statement.
Asset: Accounting Application
Threat: External Malicious Actor
Effect: Integrity
Loss Statement: Assess the risk associated with an external malicious actor convincing a privileged insider via social engineering to alter vendor payment data in the accounting application.
Frequency: How often do we expect an external malicious actor to attempt to convince a privileged insider to alter vendor payment data in our accounting application via social engineering?
Magnitude: How much financial loss do we expect to experience each time this event occurs?
Below is an example attack chain, which is a simple way to demonstrate how an external malicious actor would attempt to use an insider to alter data in accounting applications.
Figure 1: Example Attack Chain
Utilizing an attack chain is extremely helpful to clearly articulate how you suspect the event to unfold when speaking to SMEs and gathering data. Attack chains make it clear how a security risk can be exploited, which makes it easier to pin down exactly where the danger is. Some questions to consider during this stage are:
You can also begin to think about how to address email risk at this stage. In the case of email threats, you might consider separation of duty controls, where each part of the process to alter data and confirm receipt must be signed off by different individuals, as a way to reduce the risks of email fraud.
We consider these likely ways that loss would occur:
We derive the values for these losses by answering questions in interactive workshops on the RiskLens platform.
With data in hand, we can run an analysis on the platform showing our current level of probable loss exposure from Business Email Compromise.
Figure 2: Example Reporting
Please note: The results above are for example purposes only and are not meant to represent the scoped scenario for BEC.
Below are some examples of potential risk reduction options we can consider. Then, we can use the RiskLens platform to determine how they will affect risk by reducing event frequency or loss magnitude.
Increased employee training/awareness
New/enhanced Identity Access Management controls
New/enhanced Data Loss Prevention (DLP) controls
New/enhanced Separation of Duty controls
Figure 3: Comparison Reporting
Using the RiskLens platform, we can run “What If” analyses to change one or more of your inputs and evaluate the resulting change in loss exposure, showing the effect of controls against the baseline in annualized loss exposure.
With quantitative analysis, we can get ahead of the threat actors, take reasonable cost-effective steps to keep BEC risk within tolerance levels, and balance spending across the security budget based on a solid understanding of cyber risk in financial terms.
Quantifying your organization’s exposure to email risk, BEC and otherwise, is the best way to communicate it outside of your cybersecurity department; every decision maker in a business understands financial figures. Learn more about our platform here.
If you’re interested in specifics, contact us for more details.