New Guidance to Help Organisations Protect Against BEC Scams

Business email compromise (BEC) scams are a growing concern for organisations across sectors. According to recent government data, 84% of businesses and 83% of charities suffered a phishing attack in 2023. The National Cyber Security Centre (NCSC) has recently published new guidance on BEC, including practical steps to help organisations reduce the likelihood of falling victim.

What are BEC scam?

BEC is a phishing attack where a cyber-criminal impersonates a legitimate source to trick employees into transferring money, sharing confidential data or engaging in other compromising activities. The criminals behind BEC attacks typically send emails that appear to be legitimate, asking for business-related payments. These cyber-criminals may pose as senior employees, suppliers, vendors, business associates or other entities.

Unlike conventional phishing attacks, which often target large groups, BEC attacks are tailored to entice specific individuals, making them more challenging to identify and potentially more destructive.

The NCSC’s guidance explained

The NCSC’s new guidance recommends organisations take the following steps to stop cyber-criminals and reduce the risks of BEC scams:

  • Increase staff awareness. Employees are the first line of defence against cyber-attacks. Organisations should provide thorough training to help staff spot phishing emails and report them swiftly.
  • Implement multifactor authentication (MFA). Organisations should enable MFA, a multi-step login process, on all online accounts so that knowing a password isn’t enough for threat actors to gain entry.
  • Apply the “least privilege” principle. Organisations should only provide employees with access to the systems, networks and data they need to do their jobs and nothing more. For example, only a few select employees should be allowed to authorise payments.
  • Review digital footprint. Threat actors can use information from social media accounts to create targeted BEC scams. Staff, especially senior executives, should review their online account privacy settings and consider ways to reduce their digital footprint.

Guidance from the NCSC is particularly important for smaller businesses, which may lack the resources to implement the NCSC’s existing guidance on phishing attacks.

Government data reported that phishing attacks—including BEC scams—now impact a majority of businesses. Therefore, organisations should review their cyber-hygiene measures and cyber-insurance cover to ensure maximum protection.

Visit the NCSC website to view their guidance in full. Contact us today for additional cyber-security resources and insurance solutions.