It’s hard to imagine running a business without email these days, especially with more people working from home in the COVID-19 era. And it’s because email is such an important communication tool, that many cybersecurity attackers aim to exploit it through business email compromise.
Business email compromise (BEC) is a cyber fraud tactic hackers use to gain access to your network under the cover of a known name, such as an organization’s CEO or the small business owner. While utilizing personal information found online or social media, hackers will contact someone else within the organization behaving like the individual they are impersonating, even using a similar or hacked email address, looking for sensitive information.
While attackers sometimes text their victims, they exploit the added layer of trust that is associated with a business email address, and it has been very effective. According to the FBI, BEC scams were the most damaging and effective type of cyber-crime last year, accounting for half of the cyber-crime losses in 2019. And on average, a BEC scam amounts to nearly a $75,000 loss, per complaint.
With that in mind, BEC is something all businesses should be concerned about. Luckily there are a few simple steps you can take to protect your business and your staff against these attacks.
Familiarize Yourself With Popular BEC Scams
Firstly, to prevent BEC scams you need to know what they look like. A common theme with BEC scams is that they use fear tactics and play into their targets’ sense of duty to their company to get what they want. In many real examples of business email compromise, hackers have used emotional pleas to steal information, including threatening the recipient’s job if they don’t comply or promising promotions as a thank you for their help. According to the FBI, there are five common types to look out for:
- False Invoice Scheme: Attackers pretend to be a company’s vendor or supplier requesting fund transfers for payments to an account owned by fraudsters.
- CEO Fraud: Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
- Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
- Attorney Impersonation: An attacker will impersonate a lawyer or other representative from the law firm responsible for sensitive matters. They typically target low-level employees without the knowledge or authority to question the validity of the communication.
- Data Theft: HR and bookkeeping employees will be targeted to obtain personal or otherwise sensitive information about the employees or executives.
Educate Your Employees
While BEC attackers often target low-level employees, the truth is anyone can fall victim to BEC. Therefore, education and training about BEC prevention throughout your organization is critical to building your first line of defense. Add comprehensive webinars or online courses about BEC to your onboarding process for new employees and revisit the issue via annual training. Make sure they cover common scams, signs to look out for, and how to report a potential BEC attack.
Invest in Secure Email Systems
While there are many free or low-cost email systems to use for your organization, using a paid platform can be worth the investment in preventing BEC. Not only do they typically offer more security features, but they’re more difficult to hack. Top security features to look out for include end-to-end encryption, two-factor authentication, and spam protection. Also, the ability to flag all external emails is a simple, but effective visual indicator that will help everyone across your team identify a potential BEC attack.
Setup Controls For Downloading Software
Sometimes BEC attackers aim to have victims download dangerous malware to their work computers that they’ll use to extract sensitive data or passwords. On top of reminding employees not to download software or online programs to their computers, if possible, implement network controls so that only allows certain people the right to approve downloads, such as an IT department.
Protect & Monitor Your Payments
If a BEC scam makes its way to the payment stage, you’ll want to have added protections in place to protect your finances. Some of the ways to do this are to add two-factor authentication and confirmation requests to verify payments. For example, requiring verification via a company phone number (as opposed to a suspicious number provided in an email) can be a part of a two-factor authentication scheme. You can also work with your bank to receive email notifications and alerts for wire transfers, or set up something like Positive Pay, which will help you detect unusual or unauthorized disbursement activity – identifying exception items and allowing you to decide to pay or return the items.
Business email compromise is a significant threat for all businesses, but taking simple steps to prevent and protect against a BEC attack can make a big difference. Seeing that anyone could fall victim, it’s crucial to view prevention as a team effort across your organization, from your executive team to your entry-level employees. By enhancing your security measures and working together to stay vigilant, you’ll be at a lower risk of falling victim to BEC.
If you would like more information about Positive Pay or any other service to help protect and grow your business, please contact our Treasury Services Department at firstname.lastname@example.org.