Email’s Role In Combatting Business Email Compromise

With the business email compromise (BEC) phishing attack a continuously growing threat for businesses large and small, organizations are exploring how strategic cybersecurity investments can protect them when bad actors attempt to steal company cash or redirect business payments.

Often, those security measures come in the form of third-party enterprise apps that can integrate with email platforms, employee training and multi-factor authentication measures. When a phisher spoofs a chief financial officer’s email address in a social engineering attack against an accounts payable (AP) department, however, it would seem that the email service itself could be the first line of defense.

In a recent interview with PYMNTS, Mikael Berner, co-founder and CEO of Edison Software, explained why combatting BEC may have to begin with rethinking the traditional email business model altogether.

Filtering The Inbox

In today’s business environment, the instinct for many professionals is to procure a solution that sits on top of their existing email to add security capabilities, leaving many businesses and solo-preneurs stuck with a service simply because it’s what they’ve always used.

“Building a service that sits on top of an email service is interesting and can be powerful, but it’s created an ecosystem where people don’t think about changing email,” said Berner.

For Edison Software, this was the starting point to creating OnMail, its new email service launching this summer with a focus on security for both individuals and business users. Berner identified several key challenges with legacy email services that OnMail aims to tackle, namely the challenge of an overloaded inbox.

While the foundation of email is the ability for anyone to connect with anyone, Berner noted that this can not only introduce the hassle of having to constantly sift through junk mail, unwanted messages and unfamiliar addresses, but can also introduce security concerns, particularly for businesses that continue to face a barrage of spoofed email addresses and phishing campaigns.

“Email is great because anyone can use it, and it’s a great communicating tool that allows various companies to work together,” he said. “But that brings a lot of problems, mostly in the areas of security and reliability. One of the reasons that phishing works is because your inbox is overloaded — anyone can get into your inbox.”

Traditional email services aren’t incentivized to limit inbox access because inbox access — via other email users or approved third-party apps — means more page views and eyeballs for advertising, noted Berner.

The Burden Of Responsibility

The astronomical surge in cyberattacks has introduced a growing debate around who holds the burden of cybersecurity responsibility. In the scenario of BEC, in which an AP professional falls for a social engineering attack and wires funds to a fake vendor, an ethical dilemma emerges: Is it the email service, the third-party cybersecurity app, the payment processor, or the AP professional themselves who should be held accountable?

“Regardless of where the ethical responsibility lies, the fact that services can’t provide that [security] means if you want to be safe, you have to do it yourself,” noted Berner, adding that the aim of OnMail is to help offload some of that burden. The company plans to implement two-factor authentication measures to prevent hacking via stolen passwords, as well as add security features for attached documents.

Unfortunately, the problem of the BEC scam — and cyberattacks overall — won’t end with a single solution. An email service might be able to prevent a scammer from intercepting and manipulating an invoice sent by a B2B supplier, but that scammer could still place a legitimate order with a vendor to obtain a real invoice and use it as a template for future scams, for example.

Likewise, email service providers aren’t payment service providers, so “the only way to have totally secure payments is through a payments company,” noted Berner.

But email can play a role in supporting broader security initiatives. While he acknowledged it’s likely a long way off, Berner said he does envision an environment in which it is no longer the sole responsibility of the individual to detect and prevent email-related security issues. As more professionals consider the risks and privacy issues related to unhampered access to their inboxes, they may be more inclined to switch providers.

By rethinking the traditional business model of an email service and limiting who can land in a professional’s inbox, there is an opportunity for email service providers to help prevent BEC and other scams before they ever progress to the point of needing AP professionals to call up suppliers and CEOs to confirm payment, or for corporates to call their bank to attempt to recover funds — at which point, it’s often too late.