Authenticating emails won't solve the BEC fraud problem completely. For example, if the attacker is able to take over the CEO's actual email account, then the emails will, in fact, be authentic. It will significantly cut down on the attack surface and make it much more difficult and expensive for attackers.
Meanwhile, 2FA and user behavior analytics that spot suspicious access can help reduce the risk of email account takeover attacks. "The challenge -- and this goes for any organizational change -- is that there's so much momentum in how things have always been done," says Matt Wilson, chief information security advisor at BTB Security, a cybersecurity consulting firm. "It would be great if everyone would do DMARC, if they would do an identity check."
In fact, the technology is already there and ready for companies to turn on. BTB Security, for example, uses Office 365 Email. The platform automatically configures everything necessary for DMARC, he says. "This should bring many organizations in line with a strong security practice without any intervention of their own."
Every major email security vendor has a configuration option to block external emails that have local domains, Wilson says. "That's a very simple thing to do, with a tool we already own, with almost no downside," he says. "But companies are having to be dragged kicking and screaming. Maybe once they're burned, they'll do something about it."
Another area where technology can help reduce BEC fraud is in creating an escalation path for users to follow. Today, most companies don't have an escalation path, says Eric Favetta, professor of cybersecurity at Fordham University, who's worked as a security consultant for more than 300 financial services companies. "If the user is able to figure out that it's a phishing attack, they'll just hang up the phone or delete the email," he says. "And the attacker goes onto the next person at the company."
Enterprises need to set up easy-to-use systems for employees to flag emails and other communications that look like phishing or social engineering attacks, so that other employees will know that there's a potential campaign underway against them and they should be on the alert.
It may be costly to implement security controls and update business processes, says Favetta. But just accepting the risk and letting the fraud happen would be a big mistake. "I think people understand that if they do not secure their assets, they'll eventually go out of business."