When it comes to phishing and other business email compromise cyberattacks, the question is not if a company will be targeted; it’s when.

“It’s really easy for these attackers to send blasts of thousands of emails out there,” said John “Jack” Bennett, managing director of cyber risk, risk consultancy with Kroll. “So it’s coming. It’s just a matter of time before it hits you.” 

Last year, the FBI’s Internet Crime Complaint Center received 19,954 complaints concerning business email compromise attacks, resulting in nearly $2.4 billion in losses.

In these attacks, hackers send thousands of emails with fraudulent links and attachments.

Their goal is to trick unsuspecting employees to open these links and enter their credentials, thereby giving the attacker access to their system. Once in the system, they can steal data, encrypt files, launch a ransomware attack or initiate fraudulent wire transfers. 

“Hackers understand that every employee is an entry point into the network,” said John Farley, managing director of Gallagher’s Global Cyber Practice. 

With phishing attacks becoming both common and costly, businesses may be wondering what they can do in the event an attack occurs to limit its scope. Here are three critical steps employers should take if they’re exposed to a business email compromise attack. 

1) Report the Attack to IT

John “Jack” Bennett, managing director, cyber risk, risk consultancy, Kroll

The first step an employee should take if they click on a phishing scheme is to notify their company’s IT team. 

The IT team is a company’s first line of defense for determining whether the email was actually a phishing attack and notifying any relevant parties within the company who can take further action in the event of an attack. 

They can also take charge of any efforts to reset passwords, as both the employee who clicked the link and others in the organization will need to change any login credentials that could have been compromised. 

Though this seems like a common sense action, many employees will panic after clicking on a phishing link and may try to close out of the link and delete the email to cover up their mistake. 

“There’s that moment of, ‘Oh God, what did I just click on?’ And what people normally do is they just close it out real quick,” Bennett said.

“If you click on something that you shouldn’t have clicked on, don’t just bury it. Call your IT people.”

Employers can ensure their employees report phishing emails properly by having a clearly detailed phishing policy available to all employees. That way, an employee knows what to do if they encounter or accidentally click on a malicious link.   

2) Phishing Incident Response Team Steps In 

Once an employee notifies the IT team of a phishing attack, a company’s internal incident response team should spring into action. The incident response team is responsible for determining what to do in the event of a phishing attack in order to limit a business’ exposure.

The members of the team and its capabilities will vary depending on the size and resources a company has available, but Farley said that it should typically include general counsel, communications, operations, IT and risk management team members.

“That team will have to collaborate to figure out next steps and whether or not this truly was a phishing email. What did it involve, what data may have been stolen, what funds may have been transferred?” Farley said. 

The incident response team will likely try to determine the scope of the attack and how much data was compromised. In some cases, a hacker may have set up email forwarding systems that alert them of any new emails an employee may get in order to see if they can gain further access into the network. 

One of the key roles of this team will be notifying any clients or employees if their data was compromised.  

“You have to assume that the whole inbox was compromised if the threat actor had access to it,” said Amanda Surovec, director of security engagement and claims for Resilience. 

“So if it’s an HR employee who might have a spreadsheet of employee social security numbers, the company will likely have to notify all of their employees and provide credit monitoring.”

3) Get in Touch with Your Cyber Insurance Carrier

Amanda Surovec, director of security engagement and claims, Resilience

Another action to take in the immediate aftermath of an attack is to contact your cyber insurance carrier. Your insurer will likely have access to a team of forensic investigators and data breach coaches who can help walk your company through your response.  

“They should also consider reporting the incident to their cyber insurance carrier, which can help bring in outside experts such as a privacy council and a digital forensic investigation firm to help with the investigation,” Surovec said. 

Breach coaches will have experience working with law enforcement. They’ll also likely know how to negotiate with hackers and how to acquire bitcoin and other cryptocurrencies in the event the phishing attack leads to a ransomware event. 

If a fraudulent wire transfer occurs, a breach coach can walk your business through the process of reporting it to the FBI and working with law enforcement to try to recover those funds.  

“If you’re going it alone and trying to figure out where you should report it or who within the FBI you should be speaking to, the clock is ticking,” Farley said. 

“You usually have a finite amount of time in which you can recover the funds. It’s roughly around a 48-hour time period that you have to freeze accounts and recover funds. And it gets a lot more difficult when you’re dealing with banks overseas, specifically in territories where we don’t have great diplomatic relations and we’re not going to get the cooperation of that local law enforcement. A breach coach can help navigate all of that.”

Contacting your insurer will also give you clarity on whether or not losses may be covered. 

Prepare Employees for Phishing Risks

John Farley, managing director, global cyber liability practice, Gallagher

Obviously, the best kinds of cyber attacks are the ones that are caught before any damage is done. Businesses can take a number of different actions to prevent phishing attacks and to protect their data in the event of a business email compromise situation.  

“The time to understand phishing threats is not when you’re in the middle of a crisis,” Bennett said. 

Targeted trainings where a company educates employees on how to spot a business email compromise attack and then regular tests workers with simulated phishing tests can go a long way in keeping your business safe.  

Additionally, businesses should consider specialized training for workers who may be more at risk of a phishing attack. Though hackers target every type of employee, they may be most interested in HR and finance workers, who tend to have access to sensitive information the attacker can then hold hostage in a ransomware event.  

“We do see that HR and finance employees are targeted because they’re the people who have access to sensitive data,” Surovec said. “Consider targeted training for employees who might be more likely to be targeted by a threat actor.”

When planning for training, it’s important to remind employees that hackers may try to use current events or holidays to try to trick people into clicking on phishing links. Around the holidays, there’s often a surge in phishing attacks as scammers try to use fraudulent shipping notifications and holiday cards to lure in victims. 

“Around the holidays, you’ll see a lot of phishing campaigns that involve emails saying ‘your package has arrived.’ People are usually expecting a lot of packages around the holidays, they’re ordering gifts and things like that, and they may let their guard down and click on a link,” Surovec said.

Current events — particularly stressful ones — are another area where hackers may try to trick employees into clicking on fraudulent links. During the early days of the COVID-19 pandemic, attackers impersonated WHO officials and sent emails offering pandemic safety tests in an attempt to trap their targets, Risk & Insurance® reported in March 2020. 

There are also steps an employer can take to limit the amount of data a hacker has access to in the event of a phishing attack. Companies might consider data retention policies that require employees to delete or encrypt emails after a certain time period, which can limit the amount of data a hacker has access to if they manage to break into an employee’s inbox. 

“Data retention policies for email inboxes are really important to limit the amount of data that’s compromised if a phishing attack happens,” Surovec said. 

Implementing multi factor authentication — say a code delivered via text message and required for login — can limit a hacker’s ability to access sensitive data, even if they have an employee’s credentials. This tool is becoming such a critical element of cyber security many insurers are requiring it before underwriting cyber exposures. 

“It makes it harder for the threat actor to actually gain access to the company’s system,” Surovec explained, a goal that is at the heart of pretty much all cyber security measures. &