Security IQ BEC Defense Suite Prepares Businesses for Email Account Compromise Attacks

Business email compromise attacks are on the rise, with one recent report suggesting 44% of businesses have suffered an attack.

Business Email Compromise (BEC) attacks are now commonplace. Email accounts are compromised, and threat actors use the accounts to send targeted messages to individuals in an organization. Requests are made to have sensitive data sent by email or for wire transfers to be made. Sophisticated social engineering techniques are used to convince the email recipient that the request is genuine. The attacks often involve a series of emails with the recipient believing they are corresponding with the account holder. Since these messages are sent from genuine accounts, they are rarely caught by spam defenses.

These scams often result in large quantities of sensitive data being disclosed to the attacker or sizeable bank transfers to be made to the attacker’s account.

The Infosec Institute has responded to increased threat level by releasing its BEC Defense Suite, the purpose of which is to train employees how to recognize BEC attacks before they result in a fraudulent transfer or the disclosure of sensitive information. The BEC Defense Suite also includes tools that can be used by security teams to help identity and respond to the threat.

The BEC Defense Suite includes 20 BEC email templates which mimic real world threats. The emails can be sent to determine susceptibility of the workforce to these types of attacks. The templates include requests for W-2 forms, payroll information, wire transfer requests and VPN password resets.

When employees respond to one of the phishing simulations the replies are tracked. Security teams can therefore identify the employees that have failed the test and can ensure those vulnerable individuals receive further training.  The simulation platform can also detect the types of data that have been sent using sophisticated pattern recognition, immediately deleting the data once the data type has been logged. If a credit card number is sent in a response, for example, it would be logged as such and then deleted to prevent an unauthorized disclosure.

The platform also includes several training modules to help raise awareness of the threat and train employees how to recognize the signs of a BEC attack.

The new BEC Defense Suite is now available to all users of the SecurityIQ platform for no additional cost.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of