Schemes involving Business Email Compromise (BEC) have skyrocketed since 2015. With over 40,000 cases in the United States and abroad, these forms of scams have cost more than $5.3 billion in actual and attempted losses.
We put together a fast walkthrough of what a business email compromise is, and how you can better secure your company to help you stay one step ahead of this multibillion-dollar threat.
What is a BEC attack: how does it work?
A Business Email Compromise attack is when a cybercriminal hacks the emails of a business in order to spoof receivers. In general, after a business has been a victim of a BEC attack, the attacker pretends to be the CEO or vendors of the company to demand “legitimate” looking business payments.
The email appears to be genuine, and it appears to come from a well-known authority figure, so the receiver obeys. The fraudster will typically request money or checks to be deposited. However, this fraud has developed to the point that it no longer involves money. Instead, the same method is used to steal confidential information and pay and tax forms.
What can I do to protect my business from a BEC attack?
Although malware is used in some BEC attacks, the majority depends on social engineering techniques, against which antivirus, spam filters, and email whitelisting are ineffective. However, one of the most effective things you can do is inform employees and implement internal prevention strategies, especially for frontline employees who are most likely to be victims of initial attacks. Here are some self-defense tactics to help avoid compromise.
1. Train users to identify these common cybercriminal impersonation tactics
For greater knowledge, user education must be reinforced on a regular basis. Any employee who uses email should be able to spot a phishing attempt or a spoofed email. This knowledge should be passed to the employees and all email users of a company through trainings and drills with fake attacks. The most common forms of attacks include:
- Domain name spoofing : Tampering with the “mail from” or the “reply-to” domains in the message header is known as domain name spoofing. A quick look at the message headers shows a return-path address that isn’t the same as the From address.
- Lookalike domain spoofing: This entails buying fake domains with similar-looking characters and using these domains to send fake phishing emails in order to fool the recipient and making them believe the email comes from a legitimate source. For example, they can use an upper-case I instead of a lower-case L.
- Compromised email account: Another popular strategy is to steal data or money using legitimate email accounts that have been hacked by malware or social engineering.
2. Avoid free web-based email accounts
Establish a company domain and use it to create company email accounts instead of using free email provider accounts.
3. Authorize multi-factor authentication for business email accounts
Users must have two types of authentication: a password and another type of verification, such as a unique verification code. Logging in requires these two passwords or verifications and not just one. This method prevents gaining easy access to an employee’s email, and protects them from a BEC assault.
4. Be cautious of emails from suspicious senders.
Usually, spoofing and phishing emails have clear indicators that give away their fakeness. Not all emails from unknown senders are dangerous, in fact they can be a new client or a possible lead. This is why the receiver’s judgement and knowledge play a big role. In any case, people should avoid clicking on links or opening attachments from untrusted sources because they can contain malware that will gain access to their device.
5. Make sure your domain is secure
To trick BEC victims, domain spoofing uses minor variations in legitimate email addresses. Registering domain names that are close to yours can go a long way toward preventing email spoofing, which is at the core of most effective attacks.
6. Check the sender’s email address twice
The extension of spoofed emails is frequently the same as the actual email addresses. For example, instead of the legitimate firstname.lastname@example.org, a fake web@xyz company.com is used.
7. Company emails should be “forwarded,” not “replied” to
The correct email address must be manually typed in or picked from the address book when forwarding an email. Forwarding guarantees that you use the right email address for the intended recipient.
8. Don’t overshare on social media
Be cautious about posting very detailed job descriptions, upper management emails and pictures that might contain screens with information on social media and websites.
9. Always double-check before sending money or sensitive information
Email requests that include sensitive information or wire transfers should be confirmed by employees at all times. This confirmation should be done in person if the case is of high sensitivity or by phone using the number provided by the client previously.
10. Implement and Check SPF, DKIM and DMARC records
Anti-spoofing and email authentication strategies that use DNS records to verify the sender of an email include:
Ascertain that your domain has legitimate SPF, DKIM, and DMARC records and that your mail server/provider is analyzing all inbound email. Standards such as DMARC, DKIM and SPF records ensure that the domain is safe and unhackable.
11. Know the preferences of your clients and vendors
Be wary of any abrupt changes in business practices. If a business contact asks you to use their personal email address after all prior communication has been done by company email, it may be a scam. Verify the request with a third-party source.
BEC attacks may not be as famous as other types of crime attacks such as ransomware, they still pose a serious threat to businesses of all sizes. BEC attempts can be avoided by combining email security best practices and training. In the case of a possible attack on your business, letting the IT and finance department heads know early on could save the company in the long run.