As business email compromise (BEC) tactics become more sophisticated, South African organisations need a holistic response plan in place, before an attack happens, writes Ryan Mer, CEO of eftsure Africa.

As technology advances, criminals are leveraging artificial intelligence and machine learning tools to craft sophisticated, convincing emails that mimic real individuals or organisations, persuading their recipients to make fraudulent payments or disclose sensitive information.

Their targets have shifted to specific industries and businesses, including law firms, accounting firms, and manufacturing companies, which comes as no surprise given that such entities engage in high-value transactions regularly.

What makes BEC attacks particularly insidious is that they often go unnoticed until it’s too late or are engineered in such a way as to exploit the urgency of demands and manipulate employees into acting quickly.

No business target is too big or small

It’s essential to keep an eye on BEC trends as small and medium-sized enterprises (SMEs) increasingly become prime targets due, at least in part, to relatively weaker defences against cybercrime.

One way to mitigate against BEC attacks is for businesses to have a dedicated BEC incident response plan in place. This plan differs from traditional incident response strategies by prioritising speed and addressing gaps in internal financial controls.

It is a collaborative effort involving not only IT and cybersecurity specialists but also finance and accounting executives, particularly the CFO. This multidimensional approach helps to swiftly engage financial institutions and address potential control gaps that attackers exploit.

Why a BEC-specific response plan?

BEC attacks are unique cyber threats and need a dedicated response plan. Unlike traditional frauds, BEC attackers operate swiftly and employ complex tactics. As such, immediate action is essential to have any chance of halting illegitimate payments and recovering funds.

This plan emphasises the need for speed and addresses gaps in financial controls, especially for teams tasked with company payments.

A comprehensive BEC incident response plan involves thorough preparation and detailed implementation steps. It ensures immediate access to critical data that will aid investigations and recovery efforts; and should encompass the key stages of an incident response from preparation and execution to ongoing communication and remediation.

Preparation, planning and execution

When a BEC incident happens, decisions need to be made quickly and under pressure, making preparation a key component of the response. An incident response team, led by the CFO, is instrumental in analysing, coordinating, and communicating during a BEC incident where clear roles and responsibilities are defined for all team members.

Key data points should include event logging, email forwarding logging, login logging, privilege escalation logging, API and OAuth2 logging.

The process itself would likely necessitate swift execution, including notification of key stakeholders, locking down systems, analysing critical data, investigating using available evidence, ongoing liaison with financial institutions, and notifying relevant third parties.

Prevention is the only real solution

While a robust BEC incident response plan will become all but indispensable for modern businesses, the odds of recovering stolen funds are low. Given the odds, taking the right steps to prevent a BEC attack from being successful is critical, which would include having robust email security measures in place from the get-go.

Independent third-party verification systems like eftsure can offer an extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error.

By implementing payment screening technology, finance departments can confirm the accuracy of account numbers before authorising fund transfers – ensuring funds reach the right account.