1. What is Business Email Compromise (BEC)?
A BEC occurs when a “bad actor” impersonates a senior executive and orders expedited transfers of funds to first-time vendors, likely located overseas. The BEC is typically preceded by a phishing scheme or social engineering to gain information from company staff. Accounts are often emptied within hours after the initiation of the wire transfer and the full financial losses tend to fall to the companies.
2. What is the difference between whaling and phishing?
Phishing attacks and whaling attacks are both business email compromises by bad actors aiming to acquire sensitive information. The key difference between whaling and spear-phishing is that whaling attacks are target specific on high-wealth individuals or high ranking executives in an organization. Spear-phishing attacks can be used to target any individual.
3. Are there tools that we can put on our networks that prevent this type of attack?
There are tools and solutions that help mitigate risk, but the last thing you should do is throw a tool solution at this problem. You might find yourself coming up short. The fact is you can never eliminate or fully mitigate the risk. The defense against this type of cyber attack is in depth such as: email hardening, email technology, security technologies, adopting multifactor authentication, user awareness and training. In other words, all these things in aggregate help. You should also evaluate the risk threat for your organization, and look at what types of threats are going on with related industry. There are solutions, controls and approaches that definitely help mitigate the risk.
4. What do I do if I am the one who clicks on a phishing link?
Let’s start by talking about what you should do. You should notify your IT team right away. There’s a 70% chance you can recover your assets if you notify IT in the first 24 hours. Let’s now talk about what not to do: A lot of people think if you get infected you should turn off your computer and wipe your computer clean. Those actions are bad for forensics as forensics needs the hard disk from your computer in its original state so that a thorough investigation can be done. Shutting down the computer also degrades forensics evidence as forensics needs to collect the RAM (the memory in the computer) so that it can determine what connections are established, and continue to collect more forensic evidence. You can unplug your network cable to isolate it from the network so the attack doesn’t propagate, but do not shut down the computer so that it is possible to get all the forensic artifacts possible to investigate the attack, and help the organization make the wisest decisions.
5. The panel today talked about changing thinking in the organization to treat cyber as enterprise risk. In that vein, what would you recommend organizations do to create that culture?
To change thinking in the organization regarding cyber as enterprise risk, it’s more about strategy and a programmatic approach to increase user awareness, engagement and training as opposed to a one-and- done training. Types of training can include role-based training, exercise-based training, lunch-and-learns, webinars, and tabletop exercises. If your organization has a segment of personnel who are at higher risk for attack such as executives, leadership or high-net-worth individuals, then it would be good to involve them. The companies we work with who are having meaningful impact and seeing results in their cyber resilience across the organization, execute on these types of continuous awareness programs. Organizations who are successful also put in governance metrics and design outcomes tied to key risks and the most-likely threats in their industry. The war against cyber-attacks is won on multiple fronts.