Peak holiday season Business Email Compromise caution from BSI

28 July 2020

The cybersecurity and information resilience team at BSI is advising organizations to remain alert to an increase in Business Email Compromise (BEC) attacks during the peak holiday season.  A recent reportˡ revealed that almost half of organizations have at least one compromised account, stressing the importance for organizations to have proper email security governance and controls in place. 

It is estimated that between 2016 and 2019, BEC attacks equated to financial losses of €22.8² billion internationally and in the US. With 95 per cent3 of data breaches starting with an email, this highlights the need for organizations to implement robust email security solutions that can detect and stop email threats to maintain their information resilience.

Stephen Bowes, Global Practice Director for Data Management and Security Technologies at BSI, explains: “Many organizations are in a vulnerable position as remote working continues and annual leave peaks. Attackers are using this opportunity to try and impersonate an employee’s colleague or senior executive to gain sensitive company information.  With email phishing, an attacker relies heavily on social engineering tactics to identify VAPs (very attacked persons) and they can be anyone in an organization, from the accountant, HR executive to a high-profile individual such as the CEO.  The current threat landscape shows that cyber criminals are targeting individuals, not infrastructure, making it vital for organizations to take a people-centric approach right now.”

“Working with our clients and analyzing both the industry and recent incidents, securing email is one of, if not the single most important step, that organizations need to consider. Doing so will mitigate most inbound attacks and reduce an organization’s surface attack area. I would also encourage businesses to implement an awareness and training programme so that users can learn to spot and report malicious emails.”

“The increase in social engineering means that everyone needs to be mindful of what is posted on social media too. Our advice is to verify the origin of an email address or phone number and implement authentication procedures to confirm legitimacy before sharing any sensitive information.”

The Consulting Services team at BSI provides a range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-uk