What are BEC Attacks?
Attackers use three Business Email Compromise (BEC) techniques to phish their targets. Depending on the technique, a mixture of phishing emails, websites, attachments and senders may be used.
Types of BEC Attacks
BEC attacks leverage a few common techniques to perform their malicious action. The attacks may come in the form of a phishing website that harvests user credentials, a document that could takeover your computer or a reply-to attack where an attacker engages you in conversation.
Regardless of the technique in-use, the common point of contact is a phishing email. The hard part for employees is to try and spot the phish... Can they spot which emails are legitimate and which have malicious intent? Take a look below to better understand how these attacks may be performed.
Comes in the form of a malicious hyperlink embedded in an email. Once clicked, the victim is led to a phishing website that imitates a legitimate service (e.g. Office365, Gmail, etc.) and asks for login credentials. Once input, credentials are sent in real-time to an attacker.
Comes in the form of an email with a malicious attachment. Once downloaded and opened or executed, the attacker may gain instantaneous control over the victims computer. The victims computer may then have data stolen, encrypted, etc.
Protecting Against BEC Attacks
Attackers utilise a variety of tools to help them achieve their BEC objectives. These tools may help them exploit email spoofing vulnerabilities, they may help them assess whether your spam & malware filter can be bypassed or they may help with the delivery and orchestration of phishing campaigns.
To give your business the best chance at protecting against these attacks, CanIPhish have created a variety of free tools designed to help you assess and protect your own infrastructure.
The best way to defend against BEC attacks is to train your users how to spot them. Phishing simulations are designed with exactly that use-case in mind... If your employee's know about credential harvesting, endpoint compromise and reply-to attacks, they're less likely to fall victim when an attack occurs.
By simulating real-world phishing attacks, you'll be able to test your cyber readiness, reduce your phish click rates and meet your security compliance obligations.
Think you can spot a phish? Take a look at the Email Phishing Library provided by CanIPhish.
Email Domain Scanning
If your domain isn't configured in-line with best practices, attackers may be able to spoof it and target your employees or customers. Attackers will abuse misconfigurations within your SPF and DMARC records to spoof your domain in phishing emails.
By utilising the free domain scanning tool provided by CanIPhish, you'll be able to spot SPF & DMARC issues, identify malicious mail senders in your supply chain and even see if your email infrastructure is vulnerable to attack.
Think you may be vulnerable? Take a look at the Domain Scanning Tool provided by CanIPhish.
Email Gateway Analysis
If your email infrastructure isn't configured in-line with best practices, attackers may abuse it to build their own phishing email evaluation capability. This capability allows attackers to reduce the operational effectiveness of your email spam and malware filters, meaning more phishing emails land in employees inboxes.
By utilising the open-source tool provided by CanIPhish, you can get a real-world view into how these attacks are performed.
Want to see this attack in action? Take a look at Phishious, the open-source GitHub project provided by CanIPhish.
Free Phishing Tools Ready For Use
Discover domains vulnerable to email domain spoofing and incorporate these into your simulated phishing campaigns.
Domain Tool Statistics
Track domain scan statistics to determine which domains to spoof in your simulated phishing campaigns and which to remediate.
Get the most out of CanIPhish with our comprehensive knowledge base, live chat, phone and email support.
Upload employees via CSV or automate directory synchronisation with our Azure AD and Google Workspace integrations.
Our highly dynamic platform enables you to use our hosted mail and web servers or to bring your own.
A full solution for everyone
Whether you’re an enterprise looking to train users, a red teamer conducting a penetration test; or a hobbyist, we have you covered.