Stagecoach

The Next Generation of Targeted BEC Attacks: How Stagecoach is Fighting Imposter Blindness

Share with your network!

Imposter fraud has a long and nefarious history. But while the scam may be nothing new, the techniques involved get more advanced by the day. 

Where yesterday's fraudsters used to disguise and misdirect to fool unwitting victims, today's cyber criminals harvest stolen credentials to ape and assume your digital identity. 

Considered the most expensive cybersecurity issues, the most popular forms of imposter fraud today are Business Email Compromise (BEC) and Email Account Compromise (EAC).

A successful BEC attack sees a cyber criminal pose as a trusted contact – a colleague, vendor, or other affiliated third-party to convince a victim to wire money to a bogus account. Scammers may also compromise legitimate accounts to the same ends – known as Email Account Compromise. 

Whether achieved through domain spoofing, phishing, or credential theft, the result can be devastating. An average BEC attack costs approximately £120,000 – compared to just £500 for a successful ransomware exploit.

BEC impacts not just the compromised organization but its customers, suppliers, and numerous other third parties. And it's an issue that affects businesses of all sizes, across all sectors – with 86% of organizations worldwide suffering an attack last year.

With trust, reputation, and revenues at stake, businesses like Stagecoach, the UK's largest bus operator, turn to cybersecurity experts for protection, guidance, and peace of mind. 

Stagecoach under attack

It's not unusual for Stagecoach to be a constant target for cyber attacks. Bad actors are forever scanning social platforms and directories for details on company executives. 

These details are used to fabricate false payment emails. Stagecoach sees attempted attacks of this nature every day. 

Like many other modern organizations, the company recently migrated to a flexible cloud platform, Office365. However, such migrations can result in an increased attack surface. 

Stagecoach saw an immediate increase in BEC, spoofing and phishing attempts post-migration. Attackers spoofed Stagecoach and its O365 domains to try to trick employees and partners. 

Stagecoach had the protections in place expected of a company with 24,000 staff based throughout the UK. However, with the volume of attacks increasing, it was likely only a matter of time before one saw success. 

Gaining greater visibility

High volume attacks can stretch even the best defenses, for the simple reason that a cybercriminal only has to win once. 

That's why a successful cyber defense is multi-layered, combining people, process, and technology controls. 

In its latest report, Protecting Against Business Email Compromise Phishing, Gartner laid out five key recommendations for implementing such a defense:  

  • Complement email security technology with user awareness training specifically to educate users on BEC phishing.
  • Implement standard operating procedures to authenticate email requests for financial or data transactions and move high-risk ad hoc transactions from email to more authenticated systems.
  • Upgrade secure email gateway solutions to include advanced phishing protection, imposter detection and internal email protection.
  • Implement Domain-based Message Authentication, Reporting and Conformance (DMARC) to authenticate email domains and minimize the opportunity for domain abuse.
  • Implement multifactor authentication to protect against account takeover.

Stagecoach aligned its cyber defense with this strategy. After a comprehensive RFI process, the company implemented Proofpoint's full Proofpoint People-Centric Security Bundle (P3). 

Along with tools and controls to fight BEC and EAC, and protect cloud applications, P3 includes a comprehensive people-centric security program, ensuring all users are aware of their cybersecurity responsibilities. 

As well as requiring awareness and education among end-users, implementing such a strategy also involves buy-in at the board-level. 

Simon Taylor, Information Security Manager at Stagecoach: "I have been fortunate to have the support from the CISO and the board so have been able to procure and implement the full Proofpoint People-Centric Security solution."

Eliminate blind spots with defense in depth

Since implementing its new cyber strategy, Stagecoach has seen a marked improvement in its ability to detect and prevent all manner of cyber-attacks: "Since implementing Isolation, we have had 100% protection on malicious emails!", states Taylor after the implementation of Proofpoint Email Isolation. 

With tools, solutions, and daily checks aimed at protecting Stagecoach users, data, and cloud apps, cybersecurity awareness is now higher than ever throughout the organization. In addition, the organization is working to implement DMARC to protect its 1,200+ domains – a step Taylor may have taken sooner with hindsight, although the priority was placed on mitigating a perceived higher threat from internal access to mail accounts: "Implementing DMARC has been the biggest challenge… because you risk stopping legitimate emails flowing. Had we done it first, however, we'd be in a better position now with regard to BEC, possibly.

Stagecoach offers a great example of a multi-layered, people-centric approach. This starts with a technical combination of email gateway controls, email authentication, and content analysis, designed to ward off BEC and similar attacks. Greater visibility into cloud applications, suspicious logins, activity, and DLP alerts also allows IT teams to spot bogus access attempts and analyze the data flowing to and from the organization. 

But these tools, while eliminating blind spots, are just one piece of the puzzle. As well as protecting the organization from targeted attacks, the P3 solution offers valuable insight into the methods and origins behind those attacks. This information is leveraged to train end-users on common threats in context – highlighting the very threat vectors they are most likely to encounter. 

Educating users in this manner raises awareness and conveys the vital role they play in protecting the organization from cyber criminals. 

The result is a cybersecurity culture where the onus for defense is not solely on IT teams but every individual.

With the Proofpoint solution in place, Taylor is satisfied to have achieved his initial goal of implementing "a layered approach, providing the best security not just from traditional attacks but also the loss of data."

To learn more about targeted BEC attacks, watch our on demand webinar with Stagecoach: Do You Have Imposter Blindness? Fighting the Next Generation of Targeted BEC Attacks