How to protect your business from AI-driven BEC attacks
The rise of AI has, significantly but unsurprisingly, led to an increase in criminals using platforms such as ChatGPT and WormGPT – a new generative tool, designed specifically for malicious activities – to assist them in committing cyber crimes.1
AI has prominently been used by cybercriminals in Business Email Compromise (BEC) attacks. The National Cyber Security Centre has defined a BEC as ‘a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information.’2
This article by Fast Company has detailed that cybercriminals are increasingly favouring BEC over ransomware attacks – and this rise has been evidenced in data showing that the number of BEC attacks per email box grew by a massive 84% in the first half of 2022.3
BEC, according to Fast Company, ‘does not involve cryptocurrency and tends to fly under the radar in comparison to ransomware, which can involve scrutiny and federal investigation.’
How is AI driving Business Email Compromise?
Generative AI tools make it incredibly straightforward for cybercriminals to fraudulently impersonate CEOs or senior executives. Even in different languages, AI can be trained to create multiple variations of phishing emails almost instantly. The attack, impersonating the writing style of anyone, seems authentic and plausible. Audio and video cloning technologies aren’t safe from AI, either – false identities are very easily created, and can be indistinguishable from the real person, making scams even harder to recognise.
What steps can I take to protect my business from BEC attacks?
It’s essential for businesses to raise awareness and take precautions against BEC attacks, to help mitigate the risk. L Wood have put together the best steps for you to take:
The development of training programs is an essential practice for companies. Extensive training, with regular updates and revisions, aimed at countering BEC attacks, specifically those enhanced by AI can educate employees. With classroom exercises, coaching, and phishing simulations, employees can fall into the habit of recognising and reporting suspicious activities, and be best prepared to tackle them.
Policies & procedures
Keep policies and procedures in place to double-check every request, and recognise any sudden changes to bank accounts or delivery addresses, and any urgent instructions to transfer funds. Contact information should always be verified through trusted sources.
Enhanced email verification
Email verification processes should be enhanced to a highly stringent level to safeguard against AI-driven BEC attacks. Systems that automatically highlight potentially malicious keywords in emails, and when emails outside the organisation impersonate internal executives or vendors, are necessary, and ensure thorough examination before any harmful action is taken.
Strong cybersecurity is paramount to prevent cybercriminals from hacking user accounts. Businesses should make use of anti-spam solutions with AI technology to help detect BEC attacks, and technologies such as phishing-resistant multi-factor authentication and zero-trust are highly advisable. DMARC, DKIM, and SPF protocols can also prevent attackers from spoofing domain names.
Businesses need to take precautions against AI-driven BEC attacks with a combination of training programs, policies and procedures, enhanced email verification, and strong cybersecurity measures. Companies are increasingly vulnerable, and need to consider insurance as a way of helping to mitigate these risks. Safeguard your business against cybercrimes today.
To learn more about our business insurance for Cyber Liability and Financial Crime, click here.
To contact us with any queries, click here.
2National Cyber Security Centre, 2020. https://www.ncsc.gov.uk/files/Business-email-compromise-infographic.pdf3Abnormal, 2022. https://abnormalsecurity.com/blog/bec-attacks-increasing-new-research-shows