The BEC battleground: Why zero trust and employee education are your best line of defense

In a world where businesses are rapidly digitizing and email communication is prevalent, business email compromise (BEC) attacks — that is, scams designed to give cybercriminals unauthorized access to confidential information or lure victims into transferring funds — pose a substantial threat to organizations of all sizes and sectors. 

To combat this growing threat, which is further driven by AI, all businesses need to adopt a multi-faceted security approach. Above all, this should focus on zero trust principles and comprehensive employee education.

In this article:

• The rise of BEC attacks
• Empowering employees: Your first line of defense
• Zero trust: The center of a secure remote landscape
• Summary: A multifaceted approach is key to BEC defense

Currently, BEC attacks are extremely prevalent. According to a recent report by Abnormal Security, they skyrocketed in 2023, doubling to over ten monthly attacks per 1,000 mailboxes — a staggering 108% increase compared to 2022. 

The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes. This trend has been triggered by the shift to hybrid and remote work and the accompanying change in employee habits and the security landscape.

Currently, BEC attacks are extremely prevalent. According to a recent report by Abnormal Security, they skyrocketed in 2023, doubling to over ten monthly attacks per 1,000 mailboxes — a staggering 108% increase compared to 2022. 

The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes. This trend has been triggered by the shift to hybrid and remote work and the accompanying change in employee habits and the security landscape.

BEC attack frequency doubled in 2023, and it is expected to increase again this year, largely due to the massive ROI (return on investment) it promises cybercriminals. 

Indeed, based on FBI data, successful BEC attacks typically incur costs exceeding USD 125,000 on average. Which makes it an extremely profitable business. 

Security awareness training can play an important part in protecting your business by empowering employees to actively combat phishing attacks, including BEC scams. Phishing emails are increasingly sophisticated, using social engineering tactics to bypass filters and deceive even vigilant employees. 

Attackers often use information from social media or previous data breaches to convincingly impersonate executives, colleagues, or vendors. By creating a false sense of urgency, they can easily trick untrained staff into revealing sensitive information or authorizing fraudulent payments.

This means that traditional training methods are no longer enough to prevent successful attacks. Modern security awareness programs need to be dynamic and engaging, simulating real-world scenarios and teaching employees to recognize email red flags and social engineering ploys. 

For instance, employees should learn to identify signs such as spoofed sender addresses and grammatical errors, and to be cautious of unexpected requests, especially those involving financial transactions or changes to account information. Staff should also be encouraged to independently verify information through established channels.

However, it’s worth pointing out that AI has presented a fundamental change in phishing and social engineering — and not in a good way. By using large learning models (LLMs), in particular, hackers can create flawless and highly targeted emails to appear much more trustworthy. 

Little surprise, then, that AI was recently found to be used in more than 40% of BEC attacks. As a result, any security training that you introduce needs to be constantly evolving, capable of responding to these new threats.

Read more: AI and cybersecurity: Opportunities and risks

Even with extensive employee training, BEC scams are growing more sophisticated and can get around human vigilance. This means that comprehensive security processes should always be in place alongside staff training. 

The zero-trust security model is crucial here. It assumes no inherent trust for anyone, inside or outside the network. With it, every user and device must be continuously authenticated before accessing any resources. This makes it much harder for attackers. Even if they steal a login credential, they can’t automatically access the entire system.

Read more: What is zero trust? The new normal in cybersecurity

A key component of zero trust is multi-factor authentication (MFA). Just like a physical security system requiring multiple forms of identification, MFA requires not just a username and password, but an additional verification factor like a code from a phone app or fingerprint scan. This makes unauthorized entry, including BEC scams, much harder.

A complement to zero trust and MFA is the principle of least privilege access — granting users only the minimum level of access needed to do their jobs. Imagine assigning keys that only unlock specific areas within the castle, not the entire grand hall. This minimizes the damage if credentials are compromised because attackers can only access the data and resources assigned to that specific user.

Companies should also use continuous monitoring and risk-based access decisions, like guards patrolling a fortress. Using advanced analytics, security teams can detect suspicious behavior and implement risk-based access controls. For example, access from an unrecognized location might prompt stronger authentication or additional approval.

Additionally, network segmentation is crucial for containing threats. By dividing the network into smaller compartments, even if attackers breach one section, their movement is limited, preventing them from compromising the entire network. 

Read more: Managing cybersecurity risks in diverse remote working environments

Summary: A multifaceted approach is key to BEC defense

Building a robust defense against BEC attacks requires a layered approach. Implementing a robust defense strategy — including comprehensive security measures based on zero trust principles — is crucial. 

However, this alone is insufficient. Businesses also need to empower their employees to make informed decisions. Investing in ongoing security awareness training that includes real-world scenarios is vital for teaching employees how to identify and report suspicious activity effectively. 

Furthermore, given the increasing sophistication of BEC attacks and their global impact, businesses need to merge these strategies with their existing security frameworks. This move will not only enhance their defense against BEC attacks but also strengthen their overall cybersecurity posture.