What are BEC Attacks?
Attackers use three Business Email Compromise (BEC) techniques to phish their targets. Depending on the technique, a mixture of phishing emails, websites, attachments and senders may be used.
Types of BEC Attacks
BEC attacks leverage a few common techniques to perform their malicious action. The attacks may come in the form of a phishing website that harvests user credentials, a document that could takeover your computer or a reply-to attack where an attacker engages you in conversation.
Regardless of the technique in-use, the common point of contact is a phishing email. The hard part for employees is to try and spot the phish... Can they spot which emails are legitimate and which have malicious intent? Take a look below to better understand how these attacks may be performed.
Protecting Against BEC Attacks
Attackers utilise a variety of tools to help them achieve their BEC objectives. These tools may help them exploit email spoofing vulnerabilities, they may help them assess whether your spam & malware filter can be bypassed or they may help with the delivery and orchestration of phishing campaigns.
To give your business the best chance at protecting against these attacks, CanIPhish have created a variety of free tools designed to help you assess and protect your own infrastructure.
Phishing Simulation
The best way to defend against BEC attacks is to train your users how to spot them. Phishing simulations are designed with exactly that use-case in mind... If your employee's know about credential harvesting, endpoint compromise and reply-to attacks, they're less likely to fall victim when an attack occurs.
By simulating real-world phishing attacks, you'll be able to test your cyber readiness, reduce your phish click rates and meet your security compliance obligations.
Think you can spot a phish? Take a look at the Email Phishing Library provided by CanIPhish.
Email Domain Scanning
If your domain isn't configured in-line with best practices, attackers may be able to spoof it and target your employees or customers. Attackers will abuse misconfigurations within your SPF and DMARC records to spoof your domain in phishing emails.
By utilising the free domain scanning tool provided by CanIPhish, you'll be able to spot SPF & DMARC issues, identify malicious mail senders in your supply chain and even see if your email infrastructure is vulnerable to attack.
Think you may be vulnerable? Take a look at the Domain Scanning Tool provided by CanIPhish.
Email Gateway Analysis
If your email infrastructure isn't configured in-line with best practices, attackers may abuse it to build their own phishing email evaluation capability. This capability allows attackers to reduce the operational effectiveness of your email spam and malware filters, meaning more phishing emails land in employees inboxes.
By utilising the open-source tool provided by CanIPhish, you can get a real-world view into how these attacks are performed.
Want to see this attack in action? Take a look at Phishious, the open-source GitHub project provided by CanIPhish.
Free Phishing Tools Ready For Use
Sender Spoofing
Discover domains vulnerable to email domain spoofing and incorporate these into your simulated phishing campaigns.
Domain Tool Statistics
Track domain scan statistics to determine which domains to spoof in your simulated phishing campaigns and which to remediate.
Comprehensive Support
Get the most out of CanIPhish with our comprehensive knowledge base, live chat, phone and email support.
Directory Integrations
Upload employees via CSV or automate directory synchronisation with our Azure AD and Google Workspace integrations.
Flexible Infrastructure
Our highly dynamic platform enables you to use our hosted mail and web servers or to bring your own.
A full solution for everyone
Whether you’re an enterprise looking to train users, a red teamer conducting a penetration test; or a hobbyist, we have you covered.