Email is perhaps the most pervasive tool in the world to conduct business. Just as our dependence on digital technology grows at an increasing rate, cybercrime stays right in step, putting Cybersecurity constantly on the prowl for new solutions. A significant cyber threat facing businesses today is Business Email Compromise (BEC). It’s a monster and it is evolving and growing at a rapid rate.
BEC attacks jumped by 81% in 2022, and in 2023, some reports noticed a 108% increase in monthly attacks per 1,000 mailboxes. The biggest part of that problem is that approximately 98% of employees fail to report the threat.
What is a BEC attack?
BEC (Business Email Compromise) attacks are where criminals use email fraud to target victims including both businesses and individuals. They go where the money is, especially targeting those who perform wire transfer payments.
The scammer will usually present themselves as a high-level executive or business partner (whose email accounts they have copied or hacked), and sends emails to employees, customers, or vendors. These emails typically request them to make payments or transfer funds in some form.
BEC scams cost businesses around $1.8 billion in 2921, increasing to $2.4 billion in 2021, and $2.94 billion in 2023, according to Statista. Scams such as these can cause severe financial damage to businesses and individuals as well as to their reputations.
What makes a bec attack?
BEC attacks are usually well-crafted and sophisticated making them more difficult to identify because a bit more planning goes into them than a typical phishing attack. The attacker will first research the target organization and its employees, gaining knowledge about the company’s operations, suppliers, customers, and business partners.
It’s no problem for scammers to find much of this information online, using sites like LinkedIn, Facebook, and organizations’ websites. Once the attacker has enough information, the stage is set for an attack in which they craft a convincing-looking email to dupe the victim. It's designed to appear to come from a trusted source.
That’s when the crooks craft an email that appears to come from a trusted source requesting the recipient to make a payment or transfer funds. It usually emphasizes that the request is for an urgent and confidential matter like a new business opportunity, a vendor payment, or a foreign tax payment.
The email will often contain a ‘Call to Action,’ a sense of urgency, compelling the recipient to act quickly (without time to think things through). Think of those commercials that tell you “Act now, because this offer expires on Friday!” The attacker may also use social engineering tactics like posing as a trusted contact or creating a fake website that mimics the company's site. These tactics lend more legitimacy to the email.
The attacker wins if the recipient falls for the scam and makes the payment. It’s now your money in their pocket.
How can you protect against business email compromise phishing?
It’s challenging to prevent BEC scams, but there are measures businesses and individuals can take to lessen the risk of falling victim to them.
Security Awareness Training for Employees
Organizations need to educate their employees about many types of threats, but BEC is at the top of the list, because it is most likely to reach and touch them. It should be highlighted in ongoing Security Awareness Training. Employees need to know how to identify and avoid these scams – and given a methodology for reporting them. Employees should be aware of the various tactics used by scammers, like BEC, urgent requests, social engineering, and fake websites.
Training should also include email account security, including:
Checking their sent folder regularly for any strange messages
Using a strong email password with at least 12 characters using upper- and lower-case letters, numbers and symbols (lose the easily cracked ‘123456).
Changing their email password regularly
Storing their email password in a secure manner
Notifying an IT Services contact if they suspect a phishing email
Establish MFA or 2FA for Email Authentication
Implement email authentication- either Multifactor Authentication (MFA) or, at the very least, 3 Factor Authentication protocols for better security.
These include:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
It is these types of protocols that will help verify the authenticity of the sender's email address and reduce the risk of email spoofing. Another benefit is to keep your emails from ending up in junk mail folders.
Set Up a Payment Verification Process
No matter what business you are in, you should deploy payment verification processes, such as two-factor authentication (2FA) and/or require confirmation from multiple parties. This ensures that all wire transfer requests are legitimate. It’s always better to have more than one person verify a financial payment request.
Establish a Response Plan
The Response Plan would be a sub-category of a general Incident Response Plan (IRP), which provide directives for general threat events. Organizations should establish a response plan specifically for BEC incidents, including procedures for reporting the incident as well as freezing the transfer and notifying law enforcement.
Institute Anti-phishing Software
Good anti-phishing software does a lot of the heavy lifting, so seek out something that works with your processes and set it up (if you haven’t already). Two well-received tools are Ironscales and Trustifi, so they are a good place to start. They detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools become more effective.
AI as a key tool in phishing technology continues to increase. Businesses must be vigilant and take steps to protect themselves.
Frequently Asked Questions
What is considered a suspicious email?
The most obvious indication is that it’s just weird, like receiving a short message with a link or attachment from a friend or associate (who never sends you this type of thing) saying “I think you’ll get a kick out of this.” Also, getting generic greetings (or lack of greetings) when the sender should know you, misspellings, unofficial "from" email addresses, unfamiliar webpages, any email that requests personal information, and misleading hyperlinks are the most common indicators of a phishing attack.
What action is required when you have received a suspicious email at work?
The first thing is for the victimized employee to report it to management or IT support, but whether a company’s Policies & Procedures (P&P) actually require it is another matter. It needs to be required, or your IT Services team is left in the dark - with no idea how many attacks are attempted.
Should you report phishing emails to police?
Not necessarily the police per se, like the LAPD or your local police department, but you should file a complaint with the FBI’s Internet Crime Complaint Center (IC3). Reporting is easy and convenient.
What does an IC3 complaint do?
The IC3 (Internet Crime Complaint Center) reviews incoming complaints and refers actionable items to the appropriate law enforcement and regulatory agencies for criminal, civil, or administrative action, as appropriate. Investigations and any prosecutions are decided by the agency that receives the complaint.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFIRM.COM offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
Contact ITFIRM.COM today! We have the experience to ensure a seamless transition. After the move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!
For more information on office moves, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705