Proofpoint’s report states that spearphising/BEC “have collectively scammed victims out of more than $2 billion globally” and that these “threats have hit more than 7,000 companies since the FBI’s Internet Crime Complaint Center (IC3) began tracking this type of scam in late 2013.” When I blogged about the FBI report “Watch out for BEC (Business eMail Compromise- aka Spearphishing) which has cost $2.3+ BILLION!” I had not seen Proofpoint’s report “Impostor Email Threats- 4 Business Email Compromise Techniques and How to Stop Them” with these four recommendations:
- Deploy an email gateway that supports advanced configuration options for flagging suspicious messages based on attributes (such as direction and Subject line) and email authentication techniques.
- Adopt advanced threat solutions to identify and block targeted attacks that travel over email, the No. 1 threat vector. These solutions must take into account the increasing sophistication of emerging threats and socially engineered attacks. Speak to your security vendor about system settings to identify and block impostor email threats.
- Put internal finance and purchasing controls in place to authenticate legitimate requests. These controls should include a secondary, out-of-band, in-person, or phone approval by another person in the organization.
- Make users aware of the latest social engineering and phishing schemes through regular training. Done right, “phishing” your own employees can also be a useful test of how effective your user-awareness efforts are. This approach also helps address the “human factor” of attacks.