Business email compromise (BEC) and phishing scams are two of the most common tactics used by cyber criminals to infiltrate business networks and cause havoc in the form of wire transfer fraud, data encryption, planting ransomware, and even blackmailing or coercing employees to perform unwarranted actions.
It’s a cyber risk that’s well and truly on the radar of many organisations worldwide. Employers today are looking at ways to prevent and mitigate BEC and phishing scams with many turning to more frequent and detailed employee training and awareness campaigns. But there are many who would argue that you can do all the employee training possible, and someone will still absentmindedly click on a dodgy link or respond to a fraudulent email. It’s a phrase often said (arguably, with merit) that humans are the weakest link in cyber security.
According to Shelley Ma, director of digital forensics & incident response at Arete Advisors – an elite global team of cyber incident response experts – the conversation around BEC and phishing scams should not focus solely on prevention. It should also revolve around the safety nets that organisations can put in place to mitigate potential damages once a user inevitably falls victim to BEC or clicks on a phishing email. Speaking on a NetDiligence Cyber Risk Summit panel about BEC and wire fraud, Ma shared several basic implementations that organisations could consider in order to prevent a catastrophe arising from BEC or a phishing email:
Enable multi-factor authentication
Multi-factor authentication (MFA) is a security mechanism that requires a user to provide two or more pieces of information to authenticate their identity. The most common form would be asking a user to submit a username and password.
“In this day and age, it’s pretty unacceptable to not have MFA when it comes to access and when it comes to logins,” said Ma. “Microsoft Office 365, for example, would ask for a password, and then there will be a secondary authentication step, either in the form of a randomly generated passcode or in the form of a call or text. One very common strategy that attackers like to employ is to redirect the user to an external page that looks like it’s an Office 365 sign-in page. That type of tactic is for credential harvesting. Even if that were successful, without the secondary factor, the attacker would not be able to gain access. MFA is something we always recommend.”
Turn on audit logging
Audit logging, sometimes referred to as an audit trail, keeps tracks of everything that happens on a digital system or a software solution. It will keep a record of who logged-in, when and where they accessed a system, who completed a certain action (for example, the deletion of files or the changing of passwords), and so on. Audit logging is necessary from a compliance and legal standpoint, and it’s extremely helpful from a cyber forensics point of view.
“Just flipping that switch and turning audit logging on will provide so much forensic visibility into what’s happened in a cyber incident,” Ma commented. “It’s a very easy step to do. And don’t just keep audit logs maintained for a week; have them extended to the maximum possible retention period.”
Tag external emails with warning messages
You’ve probably seen these messages embedded throughout email chains. They might go something like: ‘This email originated from outside the organisation.’ This tag is particularly helpful in identifying domain spoofing. For example, in BEC, a fraudster would use social engineering to impersonate a person of influence (often someone in a senior management position) via email. Typically, an employee would receive a spoof email, which looks like it’s from their boss, asking them to wire funds to the fraudster’s account. If external emails are tagged, that creates a red flag to any spoofed emails, which users can then react to accordingly.
Use ATP Safe Links
This is a feature of Microsoft Office 365 Advanced Threat Protection (ATP). Ma described it as a live-time verification of URLs within the body of an email or within documents. This helps to prevent a user’s absentminded click on a corrupt link from becoming a catastrophe.
Have a data loss prevention policy
“Another thing to consider is a data loss prevention policy - a DLP,” Ma added. “DLPs use content analysis engines to look into the contents of an email. They’ll flag when an email includes credit card numbers, social insurance numbers, social security numbers and so on, because those type of sensitive information should not be sent in plain text over email. That could greatly prevent the loss and exploitation of data.”
Enforce a data retention policy
From a legal and governance standpoint, it’s helpful for organisations to not only have a data retention policy but to actively enforce that data retention policy. Essentially, this helps firms to save and secure relevant information for a later date and dispose of information that’s no longer needed. This reduces the likelihood of hackers infiltrating a system via BEC or a phishing scam and then exfiltrating data that the company didn’t even know it still had on record.