Strategies for combating AI-enhanced BEC attacks

In this Help Net Security interview, Robert Haist, CISO at TeamViewer, discusses how AI is being leveraged by cybercriminals to enhance the effectiveness of BEC scams.

How is AI being leveraged by cybercriminals to enhance the effectiveness of BEC scams?

BEC attacks are undoubtedly trending and have been triggered by the shift to hybrid and remote work and the accompanying change in employee habits and security landscape. For example, a rise in the use of personal devices for work has created security gaps as they often lack protection protocols. Additionally, managing a geographically dispersed workforce makes it more difficult for IT teams to maintain network visibility and control over data access. Both create the perfect grounds for BEC attackers to exploit vulnerabilities on personal devices or trick employees into granting unauthorized access to systems.

The rise of AI has so far been no help when it comes to this issue. As BEC attacks target individual employees via email from people pretending to be a higher-up in the company, a vendor, partner, or others, AI plays an increasing role in the effectiveness of these scams. For example, BEC scammers can draft emails in various languages with the help of AI, broadening their reach significantly.

AI can also help scammers improve their impersonation of a victim’s boss, for example, by personalizing the message and using their tone of voice to win over the employee’s trust. On a more basic level, AI also streamlines the writing process, ensuring minimal grammatical and spelling errors.

What are the common indicators of a BEC attack, and what preventive measures can enterprises implement?

Common indicators used to be poor grammar or spelling, but with AI streamlining the actual writing of emails, spelling errors are increasingly few and far between in phishing emails. One of the most common indicators is a sense of urgency, where the BEC scammer pressures the recipient to act quickly and bypass normal protocols, such as skipping the usual approval processes or ignoring security procedures. Other indicators include spoofed sender addresses, odd links and attachments, unusual payment methods, and more.

There are two main ways to prevent or curb these attacks. The first is security awareness training, which empowers employees to become active participants in the fight against phishing attacks, including BEC scams. Traditional training that warns employees about phishing emails is no longer enough to prevent successful attacks – they must be dynamic and engaging.

Security awareness programs should simulate real-world scenarios, teach employees how to identify red flags in emails, and equip them with the skills to recognize social engineering tactics. For example, empowering them to identify common indicators, such as mismatches between email addresses and grammatical errors, and training them to be skeptical of unexpected requests, especially those involving financial transactions or changes to account information.

Additionally, staff should be encouraged to verify information independently through established channels. For example, calling their known phone number or contacting the sender through a different communication method – like Slack or Microsoft Teams – to confirm their request is legitimate. These training programs should also be ongoing to ensure employees remain vigilant and skeptical of suspicious emails.

The other must-have preventative measure is a zero-trust approach, meaning every user and device – regardless of location or perceived trust level – must be continuously authenticated before gaining access to any resources. This significantly raises the bar for attackers because even if they manage to compromise a single login credential, they won’t have automatic access to the entire system. A key component of zero-trust is multi-factor authentication (MFA), which acts as multiple locks on every access point. So, MFA requires not just a username and password but an additional verification factor like a code from an app or fingerprint scan. This makes unauthorized entries, including through BEC scams, much harder.

An additional complement to zero-trust is the principle of least privilege access, which grants users only the minimum level of access required to perform their jobs. This minimizes the damage should credentials be compromised, as attackers can only access the data and resources assigned to that specific user.

What lessons can enterprise CISOs learn from the most notable BEC attacks? What practical advice would you give them?

In addition to employee training and a zero-trust approach, companies should leverage continuous monitoring and risk-based access decisions. Security teams can use advanced analytics to monitor user activity and identify anomalies that might indicate suspicious behavior. Additionally, zero trust allows for implementing risk-based access controls – for example, access from an unrecognized location might trigger a stronger authentication challenge or require additional approval before granting access.

Security teams can also use network segmentation to contain threats. This involves dividing the network into smaller compartments. So, even if attackers manage to breach one section, their movement is restricted, preventing them from compromising the entire network.

Given the evolving nature of BEC attacks, it’s crucial for businesses to proactively adapt their security strategies. What trends do you foresee, and how should businesses respond?

The level of remote work in the United States has remained steady since 2022 and may reach even higher levels in 2024 – so working from home is here to stay. That means we can expect similar levels or even more BEC attacks in the coming year. Especially with AI making phishing emails far more convincing, we’re anticipating the trend of BEC attacks to continue to grow. That’s why it’s so important to be well-prepared with a holistic security model centered around zero trust.

What advice would you give to IT and security professionals to better defend their organizations against BEC attacks?

Building a robust defense against BEC attacks requires a layered approach. Comprehensive security strategies that leverage zero trust are a must. However, they can’t do all the heavy lifting alone. Businesses must also empower their employees to make the right decisions by investing in security awareness training that incorporates real-world scenarios and teaches employees how to identify and report suspicious activities. Only by investing in both will companies be able to better protect themselves against BEC scams.