The next generation of phishing

05 October 2018

Special feature from Dr. Guy Bunker, SVP Products, Clearswift, JLT’s Consortium Partner.

Phishing, as a means for cyber criminals to use email to access an organisation, has been around for a long, long time. So long, in fact, that there is now spear phishing (targeting an individual), whaling (targeting the CEO and other CxOs) and minnowing (going after those lower down in the organisation who have access to critical information). The next generation of phishing is called BEC or Business Email Compromise and it is having a bigger impact on companies than ransomware.

BEC is when cyber-criminals use email spoofing to quickly defraud a business out of substantial sums of money. In a survey on Internet Crime published by the FBI in 2017, BEC topped the list for business losses and was in the top 10 for the number of affected victims. You are nine times more likely to be targeted by BEC than ransomware, and financial losses from BEC are 290 times higher than those from ransomware.

The premise is simple, an email is sent to someone in the organisation with, for example, a request to pay an invoice or to change some account details. The sender appears to be ‘the boss’ and the recipient is someone who deals with paying invoices, i.e. someone in the finance team. Human nature inclines you to trust the sender because of the name and this is why BEC has become so successful.

There are three simple methods for Business Email Compromise:

  1. The first method is to setup a fake email account with the name of the CxO. An email is then sent with the ‘reason’ they can’t get access to their corporate emails (they are on ‘vacation’ perhaps).
  2. The next method is to use a fake or cousin domain – a corporate domain, but ending in .biz or using a slight misspelling. So at first glance the email appears to be from the right person with the right email address.
  3. The final method and the approach taken by the vast majority of BEC attackers is simple display name deception. What the recipient sees on their screen is not what is used under the covers.

While BEC usually involves spoofing internal employees, it can also involve spoofing suppliers. Attackers commonly do this by requesting an account change for the invoices to be paid into. There is no request for an invoice to be paid at this stage, but the next time one comes in, it gets paid into the wrong account.

Subscribe to our  Latest Cyber Decoder newsletter

Five ways to protect yourself from BEC:

  1. Educate employees about this threat. Explain what it is and how you can spot it. Look closely at the sender and put your ‘mouse’ over the sender’s email address to see if there is a different address underneath. In short, if it looks strange, don’t trust it.
  2. Automatically annotate emails from outside the organisation to highlight to the recipient that this is from outside. Remember to tell staff about the annotation and why it is there.
  3. Put in place processes to deal with being compromised. Let staff know what to do and who to contact, if they think they have fallen victim to BEC. Also consider augmenting your process for setting up or changing the bank details of suppliers. Have more than one person look it over to check the authenticity of the request. Good practice involves calling the supplier to check that the request really did come from them.
  4. Use all the anti-spoofing/anti-phishing functionality you have on your email gateway. This should include SPF, DKIM and DMARC. If your gateway doesn’t have this, then consider changing it for one that does. In the UK, guidelines for local government state that these features should be used. This is good advice for businesses of all sizes.
  5. Set up ‘soft-spoof’ rules for executives and board members. On advanced email gateways it is possible to set up rules that rapidly look for emails from specifically named people to flag them. This can mitigate the risks from fake email accounts.

Business Email Compromise (BEC) is a real threat that has swept its way across America and is now being increasingly seen in Europe. It can result in real financial loss, but it can be mitigated using the three-pronged approach of people, process and technology. Technology is the final piece to enforce your policies and process keeps the people (and company) safe.


Clearswift is trusted by organisations globally to protect critical information, giving them the freedom to securely collaborate and drive business growth. Its major products are email and web security gateways with technology supporting the hygiene of both; and an award-winning ‘adaptive’ data loss prevention solution to avoid the risk of business interruption and enable organisations to gain control and visibility of their critical information 100% of the time. As a global organisation, Clearswift is headquartered in the United Kingdom, with offices in the United States, Germany, Australia and Japan, and an extensive partner network across the globe. For more information:

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on