Strategies to combat AI-powered BEC attacks

In this Help Net Security interview, Robert Haist, CISO at TeamViewer, discusses how cybercriminals are using AI to increase the effectiveness of BEC scams.

How is AI used by cybercriminals to increase the effectiveness of BEC scams?

BEC attacks are undoubtedly trending and have been triggered by the shift to hybrid and remote work and the associated change in employee habits and security landscape. For example, the increasing use of personal devices for work has led to security vulnerabilities as they often lack protective protocols. Additionally, managing a geographically dispersed workforce makes it more difficult for IT teams to maintain network visibility and control over data access. Both provide BEC attackers with ideal conditions to exploit vulnerabilities on personal devices or trick employees into granting unauthorized access to systems.

The rise of AI has so far not helped with this problem. Because BEC email attacks target individual employees and originate from people pretending to be a company manager, supplier, partner, or others, AI is playing an increasing role in the effectiveness of these scams. For example, BEC fraudsters can use AI to compose emails in different languages, significantly expanding their reach.

AI can also help scammers better impersonate a victim’s boss, for example by personalizing the message and using their tone of voice to gain the employee’s trust. On a more basic level, AI also optimizes the writing process, ensuring minimal grammatical and spelling errors.

What are the most common indicators of a BEC attack and what preventative measures can companies take?

Poor grammar or spelling used to be common indicators, but as AI optimizes the actual writing of emails, spelling errors in phishing emails are becoming less common. One of the most common indicators is a sense of urgency, where the BEC scammer pressures the recipient to act quickly and bypass normal protocols, such as skipping the usual approval processes or ignoring security procedures. Other indicators include fake return addresses, strange links and attachments, unusual payment methods, and more.

There are two main ways to prevent or mitigate these attacks. The first is security awareness training that allows employees to actively participate in combating phishing attacks, including BEC scams. Traditional training that warns employees about phishing emails is no longer enough to prevent successful attacks – it needs to be dynamic and engaging.

Security awareness programs should simulate real-world scenarios, teach employees to recognize warning signs in emails, and equip them with the skills to recognize social engineering tactics. For example, it will enable them to recognize common indicators, such as inconsistencies between email addresses and grammatical errors, and train them to be skeptical of unexpected requests, especially those involving financial transactions or changes to account information.

Additionally, employees should be encouraged to independently verify information through established channels. For example, you can call their known phone number or contact the sender using another communication method – such as Slack or Microsoft Teams – to confirm that their request is legitimate. These training programs should also be conducted on an ongoing basis to ensure employees remain vigilant and skeptical of suspicious emails.

The other essential preventive measure is a zero trust approach, meaning that every user and device – regardless of location or perceived level of trust – must be continually authenticated before being granted access to resources. This significantly raises the bar for attackers because even if they manage to compromise a single credential, they do not automatically have access to the entire system. A key component of zero trust is multi-factor authentication (MFA), which acts as a multiple lock on each access point. So MFA requires not only a username and password, but also an additional verification factor such as a code from an app or a fingerprint scan. This makes unauthorized access, including through BEC fraud, much more difficult.

Another addition to zero trust is the principle of least privilege access, which grants users only the minimum level of access they need to perform their tasks. This minimizes the damage if credentials are compromised because attackers can only access the data and resources assigned to that specific user.

What lessons can enterprise CISOs learn from the most notable BEC attacks? What practical advice would you give them?

In addition to employee training and a zero trust approach, companies should leverage continuous monitoring and risk-based access decisions. Security teams can use advanced analytics to monitor user activity and identify anomalies that could indicate suspicious behavior. Additionally, Zero Trust enables the implementation of risk-based access controls – for example, access from an unknown location may trigger a stronger authentication challenge or require additional authorization before access is granted.

Security teams can also use network segmentation to contain threats. The network is divided into smaller sections. Even if attackers manage to break into one section, their freedom of movement is restricted, so they cannot compromise the entire network.

Given the evolving nature of BEC attacks, it is critical for organizations to proactively adapt their security strategies. What trends do you see and how should companies respond to them?

The level of remote work in the United States has remained stable since 2022 and could reach even higher levels in 2024 – so work from home is here to stay. This means we can expect similar levels or even more BEC attacks in the coming year. Especially as AI makes phishing emails far more convincing, we expect the trend of BEC attacks to continue to grow. That’s why it’s so important to be well prepared with a holistic security model based on Zero Trust.

What advice would you give IT and security professionals to better protect their organizations against BEC attacks?

Building a robust defense against BEC attacks requires a multi-layered approach. Comprehensive security strategies that leverage zero trust are a must. However, they cannot do all the hard work alone. Companies must also empower their employees to make the right decisions by investing in security awareness training that includes real-world scenarios and teaches employees how to recognize and report suspicious activity. Only by investing in both areas can companies better protect themselves against BEC fraud.