Key Takeaway Bec Doesnt Get Much Attention But It Should
Although BEC doesnt get as much mindshare as ransomware or other forms of cybercrime, it is nonetheless a very significant threat to organizations of all sizes worldwide. The statistics show that it is growing rapidly and that it is more damaging than many other threats.
Although conventional email security gateways will not effectively prevent Business Email Compromise, there are products that will. When these modern solutions are coupled with appropriate education and best practices, organizations need not fear this rising threat.
Pillar #: Management Buy
The simple truth about preventing BEC is that management sets the tone. If management commits the following protocol and sets a consistent example, it will spread across the organization. If management circumvents protocol because they cant be bothered, then BEC and wire fraud is likely to remain a risk. Given the cost of a single BEC incident, management buy-in would seem logical, but circumvention of the process is a common problem with financial operations controls. When an executive circumvents company protocol, it sends the signal that financial operations processes are merely suggestions, and can be used at an employees discretion. The discretionary application of financial controls is precisely the situation that cybercriminals take advantage of. If your organizations management is not willing to practice what they preach then please skip to the end of this guide and read the section entitled The bare minimum.
How To Spot And Stop Attacks
The main thing is to stay alert to the threats that can come via your email, and to train your employees to do the same. Prevention is way better than cure. So its essential to be wary of any urgent payment transfers, or anyone asking for sensitive data no matter who they might be.
If you think youve received a fraudulent email but arent 100% sure, heres a quick checklist to help you make the right decisions:
Its also very common for these fraudulent emails to come through at the end of the working week. Thats when brains are tired and time is even more sensitive. But a quick DM or phone call to the requester all it takes to verify a request is genuine.
Recommended Reading: How To Open An Email To A Professor
Be Vigilant Against Phishing
Phishing are scams that are made to appear as if they were sent from individuals or organisations you think you know, or you think you should trust. Criminals can steal credentials using phishing techniques and then do further harm, using those compromised credentials to login and send out malicious or fraudulent content to your contacts.
Phishing is not just limited to email. These scams are delivered via SMS, instant messaging and social media, and pretend to be trusted organisations like:
- State and Territory police or law enforcement
- utilities such as telecommunications, postal services, power and gas companies
- banks, and other financial institutions
- Government departments, such as the Australian Taxation Office, Centrelink and Medicare, or government services such as myGov.
Reputable organisations will not call, SMS or email to verify or update your information. This includes companies such as Amazon, PayPal, Google, Apple and Facebook. When you receive unsolicited contact from organisations, there are a number of simple things you can do to keep yourself safe.
Many organisations have security pages that identify active scams using their branding. If a message seems suspicious, contact the person or organisation separately, using contact details you have verified separately to check if they are likely to have sent the message.
Tips For Stopping Bec
- Ransomware can burn down a school systems IT function in an instant.December 21, 2021
- Coming out of the pandemic, state and local government technology leaders are facing a once-in-a-career opportunity to modernize some of their jurisdictions most mission-critical systems and functions but they must act quickly.December 16, 2021
- The cloud is a powerful tool for driving digital transformation, but risks abound at every step of the journey. Public-sector IT leaders must assess where they stand in the cloud adoption curve and plan how to optimize their infrastructure costs.December 15, 2021
- Data-driven technologies delivered through the cloud let governments scale innovation. The Google Cloud Government and Education Summit brought together government, education and industry leaders to demonstrate how jurisdictions are putting these powerful tools to work.December 14, 2021
Recommended Reading: Find My Icloud Email
How Business Email Compromise Attacks Happen
BEC attacks capitalise on human psychology. As a result, BEC attacks bypass the usual security systems that look for malicious attachments or content. Not only does this make it easier for scammers, but also very lucrative.
Often, impostors will pose as a manager or member of the c-suite to email potential victims with an ‘urgent’ request. This usually involves sending money via wire transfer, which is difficult to trace and recover. In 2019, UK Finance recorded over 122,000 instances of this scam, which cost UK businesses gross losses of £455.8 million.
The non-profit organisation, Save the Children, was the victim of a BEC attack in 2018. Cybercriminals compromised an employee’s email account to send out fraudulent invoices and documents that were linked to a project in Asia. This cost the organisation an estimated £718,615.
Why Compromise A Business Email Account
BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?
Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.
A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what theyre told. According to Verizons 2021 Data Breach Investigation Report , BEC is the second-most common type of social engineering attack.
In a BEC or other social engineering attack, the threat actor pretends to be a trusted person so that the target does what theyre told.
Here are some examples of social engineering attacks that can involve BEC:
- Phishing: A social engineering attack conducted via email
- CEO fraud: A phishing attack where the attack impersonates a company executive
- Whaling: A phishing attack targeting a corporate executive
- Wire transfer fraud: A phishing attack where the attacker persuades the target to transfer money to their account
All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine or genuine looking business email address.
BEC attacks target both individuals and businesses and the attacker will use BEC to gain access to one of the following:
Recommended Reading: How To Print From Email
Encourage Employees To Challenge Suspicious Requests
Sometimes employees tend to rush an action or a response, therefore training them to double-check before executing a task could reduce the risk of being compromised by a cyber attack.
Lets take as an example an email coming from a senior executive in the company in which a large amount of money is requested in an urgent manner.
Employees should understand that its better to delay the payment than to be scammed and take the proper steps in making sure the request that came their way is actually legit.
Another aspect that needs to be better applied and understood, especially when discussing larger companies, is to make employees feel comfortable to contact their managers, not only via email but also using alternative communication tools like internal chat systems, SMS, and even phone calls.
Any organization requires effective communication. Organizations must have complete policies and methods for communicating with their constituents, workers, and stakeholders, as well as the general public, in order to be successful.
How Weak Credentials & Data Breaches Lead To Business Email Compromise
The days of using only a password to access web accounts or company IT systems are fast becoming a thing of the past. And for good reason. Many of the major breaches of modern times have begun through the exposure of login credentials. A2016 reportfound 97% of Fortune 1000 companies suffered from employee credential exposure, leaving them open to a data breach. The2017 Verizon Data Breach Investigation Report concurs with this, finding that 81% of data breaches are due to weak or stolen passwords. In 2017, some of the highest profile attacks, such as the Uber and Equifax breaches, originated through exposed administration credentials. Breaches which occur because of exposed credentials can be limited in their impact using multi-factor authentication.
Recommended Reading: Remove Duplicate Emails In Outlook 2013
How Does Email Compromise Work
A typical Business Email Compromise attack will target one or more employees. Essentially its a type of targeted phishing scam with the bad guys pretending to be high-level managers, legal representatives, CEOs, or other C-Suite execs often someone an employee feels they shouldnt challenge.
The most straightforward type of attack is to create an email address thats similar to the target companys domain name, or simply hack into the real one. The email then tricks an employee into handing over sensitive data or carrying out a financial transaction often stating the action is urgent and cant wait. Theyre designed to add pressure and exploit our emotions, like fear and trust.
These scams can be very damaging to both large and small businesses alike. Small to mid-size companies increasingly rey on remote team members and contractors, plus regular but small-time suppliers. Not only is email the main form of communication, but the trust thats implicit within smaller teams and business networks can often mean people act without question.
How A Bec Scam Works
Well, like all social engineering attacks, BEC fraud relies on the human factor in order to be successful. This means that the innate human tendency to be a social creature is what will be exploited here.
Because people have a natural desire to be helpful and prove their usefulness, therefore likely to become victims of BEC attacks. The impulse to say yes fast to a request from your management overrides the need to double-check if everything is in order with that request in the first place.
In most BEC attacks, there are three major stages:
Read Also: Creating A Html Email
How To Stop Scam Emails
Last year, Forbes brought up the fact that over 320 billion spam emails not regular emails are sent every single day. This therefore accounts for a whopping 94% or so of the worlds malware. Fortunately, there are several ways to put a stop to these digital pests, enabling you to better safeguard your business, clients, employees, and internal data not to mention your funds.
What are some of these methods? For starters, dont simply give out your email address willy-nilly. That right there is akin to opening the blinds at night, flicking on the lights, and allowing everyone to see inside. For emails on a contact us page on your companys website, they should go to a dedicated support or contact email address rather than those of specific employees. Consider using throwaway email accounts such as these, otherwise known as burners, to form a line of digital defence.
In addition, dedicated spam filtering software, network monitoring and cyber security services, and training employees on red flags to look out for can save you a lot of stress in the long run. Lastly and most importantly, never open a link or respond to an email that looks suspicious. Keep an eye out for improper capitalization, low-quality writing, grammatical issues, typos, and blurry logos that appear to be pasted in. Such emails should normally undergo an editing phase before sending, especially when it comes to government organizations, local authorities, and corporate senders.
Better Protect Your Company Assets By Learning How To Identify And Help Avoid Bec Scams Targeting Your Business
Among the most common types of B2B payment and business fraud is Business Email Compromise , also referred to as Email Account Compromise . In a BEC scam, criminals use email messages that appear to come from a known source in order to redirect payments. These scams cost companies billions of dollars annually but can be prevented with proper procedures and training.
BEC is a fast-growing cybercrime technique thatâs garnered a lot of attention in recent years due to the number of reported instances as well as the magnitude of losses associated with it, impacting small businesses and large corporations alike.
Understanding what BEC is, how to spot it and how to report it is crucial in helping maintain the safety of your company and its assets. Hereâs more information on this cybercrime.
Recommended Reading: Place To Print Email
Preventing Business Email Compromise Attacks
Given how staggeringly expensive a business email compromise incident can be, its advisable to proactively take steps to prevent hackers from utilizing this tactic to defraud your business. Leveraging the following strategies can help prevent business email compromise incidents.
1. Train your employees to recognize BEC scams. Your employee security awareness training sessions should include information on how to spot phishing emails and the procedure for responding to suspicious messages , according to a public service announcement from the IC3.
While BEC scams used to typically involve a hacker spoofing or taking over the email account of a CEO or CFO and asking for wire payments, theyve evolved over the years, according to the 2020 Internet Crime Report. Cybercriminals might also pretend to be vendors or lawyers and ask for gift cards or W-2 information.
Other red flags include an emphasis on urgency, requests to keep the interaction secret, and the email coming from a domain name that looks legit but is off by one letter, according to the Deloitte article 5 ways to mitigate the risks of business email compromise attacks.
3. Add banners or flags to external emails. Alert recipients in either the subject or the body with a warning banner for emails that come from senders outside of your organization, as advised by the Center for Internet Security . You can usually achieve this via transport rules for inbound messages on your email server.