A1 Project Brief

Click here to download A1 Project Brief

Project Title

Evaluating the Effectiveness of Multi-Factor Authentication and the Impact of Human Factors in Preventing and Mitigating Business Email Compromise (BEC) Attacks

Abstract

According to Australian Cyber Security Centre (ACSC) annual cyber threat report 2022, the financial losses caused by the Business Email compromise (BEC) attack have increased to over $98 million with an average loss of $64000 per report. BEC is a cyber fraud that uses social engineering techniques to gain the victims’ trust to transfer money to cybercriminal accounts. Due to the nature of this type of email phishing attack, human manipulation and impersonation by cybercriminals are critical factors for the success of BEC attacks. Implementing robust authentication models is one of the most commonly suggested prevention and mitigation techniques.

This research aims to evaluate a common method of mitigation and prevention, namely, Multi-factor authentication (MFA), and the role of human behaviour in social engineering to determine the effectiveness of the suggested methods and the impact of human factors associated with BEC attacks.

Background

BEC attacks are scams that mainly target organisations with a financial relationship with other organisations or suppliers. Generally, organisations that use wire transfers or online payment transactions are potential victims of BEC attacks (Saud Al-Musib et al., 2023). Although social engineering is the major component of the BEC attack to collect the required information from the victim organisations, the legitimate compromised business email accounts are the main reason for successful fund transfers (Kolouch, 2018). While spam filtering systems can usually detect malicious emails in social engineering techniques such as traditional phishing, these protective systems prove ineffective in preventing BEC attacks due to the genuine appearance of the utilised email accounts. (Saud Al-Musib et al., 2023).

To address the legitimacy of emails and payment requests, cybersecurity experts have suggested some preventive mechanisms, such as MFA, to verify the account information and legality of the request. However, prevention methods are not limited to technical measures, and human factors such as employee behaviour affect the technological measures mitigating BEC attacks (Cross & Gillett, 2020). In other words, the effectiveness of the preventive measures and mitigation techniques to overcome the BEC security challenge relies on technical and non-technical preventive measures (Cross & Gillett, 2020).

Project Objectives

This project aims to achieve the following goals:

  • Address the effectiveness of preventive measures of MFA in BEC attacks
  • Determine the impact of human factors, such as employee behaviour in social engineering leading to BEC attacks.
  • Identify the link between preventive measures such as MFA and human errors.
  • Evaluate the effectiveness of cyber awareness and training and their relationship with technical preventive mitigation success.

Project Problem Domain

BEC fraud has become a significant risk around the globe. According to the 2019 Symantec report, Australia placed three among the top 10 countries that have been victims of BEC fraud (Cross & Gillett, 2020). The victim targets are not limited to large corporate organisations, and all sizes of businesses might be the target of the BEC scam (Kolouch, 2018). Although there have been a variety of technical solutions to mitigate the BEC attack, the role of human errors in various social engineering methods allows targeted manipulation leading to the success of BEC (Cross & Gillett, 2020). Therefore it is crucial to undertake further investigation to understand the impact of human behaviour to prevent BEC attacks effectively.

The current project aims to address the following research questions:

  1. How does adopting MFA affect the success rate of BEC attacks, and what are the key factors contributing to its effectiveness?
  2. How do human factors, such as employee cybersecurity awareness, behaviour, and susceptibility to social engineering, impact the success of BEC attacks and the effectiveness of MFA as a defence mechanism?
  3. What are the challenges and barriers faced by organisations in implementing MFA?
  4. What is the role of training and awareness programs in strengthening MFA adoption and reducing human-related vulnerabilities in BEC attacks?

Project Outcomes

  • Evaluation of the Effectiveness of MFA
  • Identifying the impact of human factors on BEC attack
  • Analysing various notable BEC attacks from different industries
  • Providing practical and actionable recommendations to enhance organisations’ capabilities against BEC attacks
  • Improving cyber security knowledge by analysing the threat landscape and addressing the gaps in the current literature

Overall, this research aims to implement a resilient cyber security posture to minimise the risk of BEC attacks and their consequences.

Alignment

The chosen research project aligns well with the core principles and concepts taught in the Master of Cyber Security course. This project addresses critical cyber security issues, from technology evaluation and risk management to human behaviour and policy considerations. By contributing to the understanding of BEC attacks and the effectiveness of MFA, my project holds significance in developing more robust cyber security strategies to safeguard organisations and their digital assets.

References

 

Australian Cyber Security Centre. (2022). ACSC annual cyber threat report, July 2021 to June 2022. https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022

Cross, C., & Gillett, R. (2020). Exploiting trust for financial gain: An overview of business email compromise (BEC) fraud. Journal of Financial Crime, 27(3), 871–884. https://doi.org/10.1108/JFC-02-2020-0026

Kolouch, J. (2018). Evolution of phishing and business email compromise campaigns in the Czech Republic. Academic and Applied Research in Military and Public Management Science, 17(3), 83–100. https://doi.org/10.32565/aarms.2018.3.6

Saud Al-Musib, N., Mohammad Al-Serhani, F., Humayun, M., & Jhanjhi, N. Z. (2023). Business email compromise (BEC) attacks. Materials Today : Proceedings, 81, 497–503. https://doi.org/10.1016/j.matpr.2021.03.647

Step 1 of 2
Please sign in first
You are on your way to create a site.

Log in