From the Frontlines: the Surge in Business Email Compromise Attacks

Emails have seen a surge in cybercrime, particularly Business Email Compromise (BEC). Falling prey to BEC can result in severe financial and reputational damage.

BEC attacks rose by 81% in 2022, with a shocking 98% of employees failing to report the threat.

What is Business Email Compromise (BEC)?

Business Email Compromise, or BEC, is a scam targeting businesses and individuals involved in wire transfer payments. Scammers masquerade as executives or trusted partners, manipulating employees, customers, or vendors into making fraudulent payments. 

FBI data shows that BEC scams cost businesses a staggering $1.8 billion in 2020, soaring to $2.4 billion in 2021, wreaking financial havoc and destroying reputations. We will explore BEC intricacies and reveal strategies to safeguard against this digital menace.

How Does Business Email Compromise Work?

As a first step, the attacker conducts thorough research on the target organization and its employees, gathering information from freely available sources like LinkedIn, Facebook, and company websites. You’d be surprised about the size of the picture you can put together from available online resources. They then write a convincing email using this knowledge, posing as a high-level executive or trusted partner. 

Urgent, sometimes borderline aggressive payment requests and a sense of confidentiality add to the deception (“Please keep it between us”), while social engineering tactics and fake websites enhance the email’s legitimacy. If the recipient falls for the scam, the attacker flees with the funds, leaving the victim with substantial financial losses.

What can you do against BEC?

There are actionable steps that your organization can take to significantly reduce the risk of becoming a victim of this type of scam.

Educate Employees to Tackle BEC

The arguably easiest and most beneficial action you can take is to educate employees about the dangers and help them recognize threats from a mile away.

Start by equipping your team with the necessary training to spot and steer clear of these scams. Simply familiarize them (or share this blog post) with scammers’ common tactics, such as urgent requests, social engineering ploys, and deceptive fake websites.
Secondly, take a look at your email account security. Make sure your team is well-versed in the best practices:

  • Check their sent folder regularly for any strange messages
  • Use a strong email password with at least 12 characters, ideally a unique, scrambled password
  • Change their email password regularly
  • Store their email password in a secure manner, such as in a Password Manager
  • Notify your IT team if they suspect a phishing email – better safe than sorry

By promoting a culture of vigilance, you help your team stay secure and protect your organization.

Enable Email Authentication

Securing your organization’s email with robust authentication protocols is now just a practical necessity.
To properly verify the legitimacy of the sender’s email address and stop any potential email spoofing in its tracks, you need to have these email authenticators set up:

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

By implementing these authentication measures, you also enhance the deliverability of your emails, so you don’t have to worry about landing in users’ junk boxes anymore.

Not sure if you have email authentication enabled?
Try out MX Toolbox, a free tool where you type in your email domain, and gives you information about your email setup. Check it out for yourself here: 

Set up a Payment Verification Process

Setting up an internal Payment Verification Process helps keep your financial transactions safe. For example, using two-factor authentication adds an extra layer of protection by only allowing authorized employees to approve payments.

We can go even further by implementing a protocol called “confirmation from multiple parties.”, which ensures that every wire transfer request is legitimate. It boils down to having a double-check system where two or more trusted users verify any financial payment request.

Create a solid Incident Response Plan

Every organization should have a written and up-to-date response plan in place when it comes to BEC incidents.

First, you need to establish clear procedures for reporting any BEC incident that occurs — it’s all about prompt action. If any of your employees suspect something fishy, they need to know exactly whom to notify within your organization or your IT Support team.

Next, you should be ready to freeze any suspicious transfers quickly, as halting that transfer can save your organization from financial losses and further harm.

Last but not least, looping in the authorities (more specifically, law enforcement) is crucial. They’ve got the expertise and resources to tackle these cyber criminals. To report an Internet Crime, you can do so on the FBI’s Internet Crime Complaint Center.

Use Anti-Phishing Software

With AI and machine learning advancements, anti-phishing tools effectively detect and block phishing attempts.
Since the use of AI in phishing attacks is on the rise, it’s becoming increasingly sophisticated and can catch even the savviest of us off guard. That’s why it’s important for organizations to take proactive steps to protect themselves.

By setting up anti-phishing email software, we’re adding an extra layer of defense against these cyber threats. You can breathe easier knowing that your systems have smart technology that keeps those fraudulent emails at bay.

Need Help with Email Security Solutions? We’ve Got Your Back!

We understand the need to safeguard your hard-earned finances. With our top-notch email security solutions, you can have peace of mind knowing that your accounts are protected. We have the expertise and tools to keep scammers at bay, ensuring that your funds stay right where they belong.

Protek-IT has protected small businesses and nonprofit organizations in Chicago for years, ensuring they stay one step ahead of scammers and email threats.

Reach out to us, and let’s have a chat about how our email security solutions can fortify your business against potential threats!

Article used with permission from The Technology Press.