Gartner Security Analysts Name BEC Phish a Top 10 Priority

Anti-Phishing Remains a Top 10 Issue for Organizations,
Says Gartner

If you weren’t among the 3,500 fellow security pros packing the halls at Gartner Security Summit this year to learn, debate and network, you should know that yet again, a hot topic of the event – reflected in Gartner analyst Neil MacDonald’s “Top 10 Cybersecurity Challenges” session – is the email forwarded from an annoyed CEO, that simply reads:


Those dreaded question marks often mean one thing to a CISO: that a malicious email or targeted phish has slipped past their security defenses, and into their executive’s inbox.

I hear this problem repeatedly from CISOs across the country. Attackers are successfully launching phishing campaigns that easily evade defenses and don’t even require links or attachments to wreak havoc. Business Email Compromise (BEC) – also referred to as CXO fraud or Impostor attacks – is effective at slipping past traditional defenses, including Office 365, Gmail and Secure Email gateways – and has caused more than $12 billion in business losses over the past five years.

This problem continues to be such a serious challenge for security professionals that MacDonald reminded them to prioritize BEC as a Top 10 Security Project in 2019.

Now, why is BEC fraud getting so much attention?

    • First, attackers are going after the individual – not the protocol. Criminals spend weeks or months studying an organization’s executives, vendors and billing systems – even an executive’s writing style and schedules – so they can mimic them credibly, at the right moment.
    • Second, BEC exploits deeply ingrained social traits, such as the trust people have toward their organizational leaders and the natural propensity to collaborate . A simple email that appears to originate from a CEO, to his or her executive assistant asking to wire funds, can harm a company’s bottom line as much as (if not more than) a sophisticated, malware download attack.
    • Third, a BEC phishing email usually carries no attachments, malware, or payloads, and is “clean” of suspicious links or sites. The extensive use of anti-phishing training and educational resources have created a false sense of trust: what danger could possibly lurk in a simple email with no attachments or links?
    • And finally, because BEC fraud is file-less, linkless and often sent by imposters from valid email accounts that pass email authentication checks, traditional defenses, including Office 365, Gmail and secure email gateways (SEGs), frequently miss the malicious nature of these campaigns.


The Rising Cost of BEC to Businesses

You might recall that Gartner also ranked active anti-phishing as a top three security project last year. Prioritizing BEC phishing is critical because it’s a threat that has the potential to cause a high degree of negative business impact. Reducing BEC also reduces a high amount of risks.

And recent statistics from the FBI IC3 agency confirm the damaging nature and continued growth in frequency of these attacks. As noted in the image below, last year the agency received over 300,000 complaints of attacks that resulted in businesses losses of over $2.7B. BEC accounted for a whopping $1.2B, or 45 percent, of losses.


The Key to Defeating BEC: Source & Sentiment

However, a new kind of approach (that doesn’t rely on your employee’s security awareness) can counter BEC attacks (and other types of advanced phishing attacks). At the summit, in his Top 10 Security Projects session Q&A, MacDonald mentioned that Area 1 offers an effective way to block phishing campaigns, including BEC, before they hit your employees’ inboxes.

How do we do it? It’s a two-fer:

      1. Root out the Source: Area 1 takes an innovative approach to advanced threat protection that’s preemptive, comprehensive and accountable. In the case of BEC attacks, that means inspecting message context by looking at the trustability and authenticity of the sender in unique new ways.
      2. Understand the Sentiment: By using sophisticated matching models to check that messages appearing to be from an executive, actually originate from known sending domains, and by analyzing subject and content language and sentiment, we’re able to effectively detect BEC email that traditional defenses miss, and therefore prevent delivery of imposter email to employee inboxes.

There are other benefits to this innovative approach. As one of our fintech customers, LendingHome, notes;

“Freeing employees from the need to examine, report, and authenticate suspicious emails let them focus on their core roles and responsibilities, all while knowing that their email is safe.”

We agree. It isn’t every employee’s job to correctly flag every suspicious BEC phish that happens to get past their company’s SEG and perimeter defenses.

Phishing, especially BEC and executive impersonation attacks, remains one of the biggest cybersecurity issues facing organizations, large and small. It is trivial for attackers to take advantage of the implicit trust that exists between employees in an organization; and it is not a winning strategy to rely on educating employees or leveraging legacy defenses to stop these.

Area 1 helps numerous Fortune 500 healthcare, financial services and manufacturing organizations protect their executives against Business Email Compromise. To find out how we can protect your organization from BEC and other phishing attacks, schedule a briefing or a demo.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.