Blog

Do You Know How to Spot a BEC Phishing Attack?

Written by William​ Burke, CIC, Senior Vice President | Sep 26, 2023 2:25:56 PM

0nly dumb people fall for email phishing attacks, right? 0f course, everyone thinks they’re immune. 0nly a tech neophyte would fail to pick up on a sketchy note – especially from a familiar source.  

Well, did you notice the first letter in each sentence of the opening paragraph was not a capital “O”? It was a zero. And you’d really have a hard time noticing the same trick in an embedded URL. This deception is a well-established hacking technique called a homoglyph, or homograph, attack. The URL www.g00gle.com looks odd in text, but not so obvious in an embedded link only visible briefly as you click. 

Human error causes nearly 90% of all data breaches 

Lots of people fall for business email compromise (BEC) attacks. Worse, it usually takes a while for a business to discover an attack has succeeded. According to IBM’s “Cost of a Data Breach Report 2023” (seriously, the link is fine), the mean time to identify a BEC was 194 days. The mean time to contain the mess was 72 days. 

Big or small, any business is at risk. If the threat actor targets a corporation of 1,000 employees, it’s a safe bet that not everyone knows each other. Any one person could mistakenly fall into a BEC scam out of simple ignorance. Today’s remote work trend only adds to this type of exposure. Even in an attack on a small organization of 40 people, familiarity can be exploited. A BEC attack spoofed to look like the boss urgently requesting certain login credentials might not raise an eyebrow. A busy staff wearing lots of hats might not look too closely at the details and rush to meet the request. 

BEC phishing awareness training helps employees thwart cyberattacks  

So, what’s a business to do? Educate, educate, educate, and then educate some more: 

  • Make time to train your people – from the top down – on what a BEC can look like. The FBI has some solid training (yes, the link is legit) and real-life examples of BEC attacks. 
  • If you’re not sure how to train your team, lean on your IT professional and your cyber insurance broker. They can connect you with the right resources. 

Remember, time is money. Take the time to verify unique or external emails and requests. In today’s world of electronic banking and ransomware, an extra 10 seconds to inspect an email or link could save your organization from an unauthorized transfer, a large ransom payout, or weeks of time rebuilding locked systems. 

Want to learn more about protecting your business from cyberattacks and their liability costs? The Cyber team at Risk Strategies can help you gain a better understanding of your cyber risk profile, improve deficiencies, connect with cyber resources, and get comprehensive insurance coverage. 

Find Will Burke on LinkedIn here. 

Connect with Risk Strategies Cyber Liability team here. 

About the author 

Will Burke specializes in commercial insurance and contract surety for the construction industry. He advises on risk management best practices, including the importance of phishing awareness training for the whole workforce.