Skip to content

How to train your employees to spot business email compromise attacks – VentureBeat

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!

We know you’ve seen the headlines: Cyberattacks are hitting enterprises — among other institutions, such as hospitals and schools — at unprecedented rates. And business email compromise (BEC) attacks in particular are striking more often, leading to a loss of $1.8 billion in 2020, according to an FBI report.

BEC attacks are a cyberattack — sometimes considered a form of phishing — in which a malicious actor uses a fake email account to pose as a member of a legitimate organization, often a colleague or other known business contact. This makes them much more difficult to spot and requires employees to stay informed about the latest tactics and what to look out for.

For insight on how enterprises can best train their employees to spot BEC attacks, we chatted with Brent Johnson, chief information security officer at Bluefin. In this current role and for more than a decade prior as a cyber security consultant, he’s trained countess teams on how to prevent, monitor, and handle BEC and other cyberattacks.

This interview has been edited for brevity and clarity.

VentureBeat: With the increase in business email compromise (BEC) attacks, training employees to spot suspicious emails is becoming more important than ever. So how should companies set out to do this training? What’s step one?

Brent Johnson: I’ve always found there’s a fine line between too much and not enough. With too much training, you risk wasting resources and decreasing overall employee engagement. But without enough training, you’re not giving your employees the tools to effectively combat security threats.

A good first step is to evaluate risk with regard to BEC attacks against the company, and then determine which employees/roles pose a heightened risk and may require more frequent and in-depth training. Next, develop (or select a vendor that already has) training material applicable to what you’re trying to protect. Maybe it’s general email phishing attacks, or perhaps more industry-specific attacks that are likely to be seen within sectors such as health care, finance, banking, etc. I also recommend companies incorporate some sort of offensive techniques, such as phishing campaigns, into their training programs. Management may be surprised by the number of employees who may need a training refresher.

VentureBeat: Does every company have the same needs when it comes to cybersecurity and BEC trainings? If not, how can companies evaluate their needs and how to best prepare their teams?

Johnson: I’d say most companies need and would benefit from some level of cyber security and BEC training.  That said, not all businesses and training are equal. It’s important to evaluate business risk, employee roles, and access within the organization, and tailor a training program that effectively mitigates those threats.

VentureBeat: In your opinion, what is absolutely necessary for trainings to cover? What’s the most vital information?

Johnson: Staying current and relevant. I’m hoping these days everyone knows not to click a link from a Saudi prince offering to give away his fortune, but does everyone know the recent rash of phishing attacks from legitimate-looking emails asking users to call a number by phone to verify information? Sharing examples of these emails, or examples of emails from current phishing-as-a-service toolkit attacks, are probably much more relevant than simply saying, “Don’t click on links in suspicious emails.”

Everyone should also look out for bad grammar, spelling mistakes, unfamiliar greetings, and suspicious attachments. Also, be wary of emails that request urgent action or seem too good to be true. Additionally, any emails requesting login credentials or sensitive data, as well as those with inconsistencies in email addresses, links, and domain names.

Overall, the most vital training advice for email-based attacks is to simply reach out if there’s any question of its legitimacy. Ask IT, or contact the person who sent the email and ask if it’s what they intended to send.

VentureBeat: And of course, there are always new tactics to look out for. What type of cadence would you recommend for training? A lot of companies have historically done annual refreshers, but is that enough? 

Johnson: It’s important to develop a schedule that will keep employees engaged. I’d recommend formal training no less than once a year, with periodic reminders throughout the year such as posters, emails, or blogs. For periodic updates, it’s important to disseminate relevant training reminders. I’ve found that displaying up-to-date breach news stories, current tactics used by threat actors, and financial impact numbers help to keep employees engaged.

VentureBeat: How can companies best train employees and share best practices while taking into account employees’ varied background and level of technical expertise? 

Johnson: This again highlights the need to evaluate risk and employees’ roles and access in order to create an effective security training program. Someone in customer support (hopefully) won’t have the same access to systems and information that a system administrator does. A compromise to the customer support system/account, while still not desirable, would likely not be as detrimental to the company as a compromise to the system administrator system/account would be. General email best practice to catch spoofing, phishing, and spear-phishing attempts would be applicable training to both employees, but more in-depth and specific training to the types of attacks the administrator should be aware of would likely be beneficial.

VentureBeat: Are there any misconceptions that come to mind about BEC attacks and how to spot them you think are important to clear up?

Johnson: One misconception I’ve seen is people are worried they may have caught a virus by simply opening and reading an email. While this may have been true in legacy email clients, this isn’t the case anymore. As long as the email client is being kept up to date, and the user isn’t opening attachments or following links within the email, they will be fine.

VentureBeat: Are there any other important considerations to keep in mind? 

Johnson: I’d point out that while certainly not a catchall, it’s important for companies to configure their email systems with anti-spam and spoofing measures such as SPF, DKIM, and DMARC. This will help limit spam and phishing. Another effective tool I’ve seen that’s built into most email clients these days, or can be manually configured, is to add an “External” flag to emails that originate from outside the organization. This allows someone within the organization to quickly notice that an email that at first glance appears to come from the CEO or a coworker actually came from an email server/address not associated with the company.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member