Business Email Compromise (BEC) is a cybercrime where criminals gain access to a work email account to deceive individuals into transferring money or stealing sensitive data. BEC attacks are often targeted at senior staff or those authorized to approve financial transactions, making them particularly damaging. Unfortunately, BEC attacks, a subtype of phishing, are on the rise. A recent government report indicated that in 2023, 84% of businesses and 83% of charities encountered phishing attacks within the past year.
In response to this growing threat, the National Cyber Security Centre (NCSC) has released new guidance specifically designed to help smaller organizations protect themselves from BEC attacks. This guidance is tailored for those who may lack the resources or expertise to fully implement existing phishing protection strategies. The NCSC’s new recommendations focus on practical measures that can significantly reduce the risk of falling victim to BEC.
BEC attacks are challenging to detect because they often employ tactics that create a sense of urgency, pressuring victims to act quickly without due diligence. To combat this, the NCSC’s guidance emphasizes several key strategies. Reducing your digital footprint can make it harder for criminals to gather the information they need to launch an attack. Training staff to recognize and handle phishing emails effectively is crucial. Applying the principle of ‘least privilege’—ensuring that employees have only the access necessary for their roles—can limit the potential damage if an account is compromised. Additionally, implementing two-step verification adds an extra layer of security to email accounts, making unauthorized access more difficult.
The guidance also includes actionable steps to follow if you suspect your email account has been compromised or if you have been tricked into making a fraudulent payment. By following these recommendations, organizations can enhance their defenses against BEC attacks and better protect their financial and sensitive information from cybercriminals.