Business email compromise (BEC) is a harmful new type of cybercrime affecting companies across the world, costing billions of dollars. It’s critical for businesses of all sizes to understand what these attacks are and how to prevent them.
What is Business Email Compromise?
Typical BEC attacks start with criminals obtaining your email credentials through a standard phishing attack, usually by disguising themselves as a trustworthy business, program or person. What happens next, though, is much different from your standard phishing attack.
For a while, the cybercriminals lurk in your inbox, remaining hidden until they learn how you communicate. Once they can mimic your communication style, they will then respond to an existing email thread in order to manipulate the outcome. Often, that means redirecting the recipient you were communicating with to take an action such as paying a fraudulent invoice or transferring funds to an illegitimate account.
BEC attacks are a real threat to businesses today. The FBI started tracking attacks in 2013 and advises that:
“Organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.” (FBI.gov)
As business email compromise incidents become more and more prevalent, it’s critical to understand how they happen and what you can do to protect your business from an attack.
Five Ways Business Email Compromise Plays Out
One of the most insidious things about BEC attacks is the sheer number of ways it can affect your business. Here are five of the most common ways that business email compromise takes place.
- Fake invoices: When a business has an established relationship with a supplier, the cybercriminal will redirect an invoice payment to a fraudulent account. We recently saw this attack in action when St. Ambrose Church in Brunswick, Ohio, wired almost $2 million to a fraudulent account thinking they were paying their contractor for renovations.
- C-level fraud: This occurs when a cybercriminal poses as a C-level executive and asks a subordinate to quickly transfer funds due to a time-sensitive or confidential situation such as an acquisition. These requests are often sent at odd times, such as the end of the workday or late at night, to catch employees off guard.
- Regular account compromise: Similar to C-level fraud, an employee’s account that has been hacked sends out requests for invoice payment to vendors mined from that employee’s contact list.
- Law firm impersonation: A cybercriminal poses as a lawyer or representative of a law firm that needs an urgent matter resolved.
- Data theft: This often targets HR departments and aims at getting personal identifying information of executives or other decision-makers to be used in future business email compromise attacks.
What makes business email compromise attacks so effective is that the communication is coming directly from the email accounts of trustworthy email addresses, in a tone and voice that’s familiar and sensible. It raises few red flags, and once a cybercriminal has access to your credentials, there are few technology security solutions that can shut the criminal down. Unlike other types of phishing attacks, there are no malicious links or attachments involved – just pure psychology at work.
But that doesn’t mean you can’t protect yourself and your business against business email compromise.
Four Steps to Protect Your Company Against Business Email Compromise
Similar to most types of cyberattacks, the best cybercrime prevention is to be prepared. Preventing a business email compromise situation from occurring means educating your team on the dangers and putting processes in place to prevent breaches.
These four steps will dramatically reduce the risk to your business and mitigate the damage of any attack.
- Educate: Get to know the types of threats BEC entails and conduct regular training and random testing for your team. Simply not clicking on the wrong links avoids most cyber incidents, as it prevents cybercriminals from gaining access to your email credentials in the first place.
- Plan: No one expects a cyberattack, but every business will likely face one or more at some point. It’s best to be prepared by building an incident response plan before an attack so your business can recover quickly with minimal impact.
- Monitor: Monitor platforms like Microsoft Exchange or Office 365 to identify possible or attempted breaches.
- Update and enforce your password policy. The National Institute of Standards and Technology (NIST) standard is a good baseline. NIST recommends that you implement multi-factor authentication and avoid allowing password hints, for instance.
- Tighten up your process and controls for payments and advise customers to do the same. For an added layer of protection, require more than simple email approvals for a change of payment information, for instance.
- Secure your email system. For Microsoft Exchange or Office 365, you have options such as spoofing prevention and restricted access which controls how data can be accessed.
- Use device and mobile application management to control which devices have access to data based on the conditions you want.
If you suspect you’ve already been a victim of a business email compromise incident or need help putting a plan in place to avoid disaster, contact us today.