Business Email Compromise: Don't Fall Victim—Protect Your Bottom Line
Cloud Services
Businesses rely on email for instant communication and quick decision-making. Hackers can manipulate the email accounts of finance executives and high-level employees. Last year, the FBI received roughly 20,000 BEC allegations. Companies that conduct wire transfers and have suppliers abroad are easy targets for scammers.
Business Email Compromise or Email Account Compromise is a cybercrime in which a scammer tricks a person into sending money or sharing confidential information with them. Account compromises can cause significant financial losses, reaching hundreds of thousands of dollars.
What are the Types of Business Email Compromises
According to Microsoft, 91% of cyberattacks start with emails.
Here are the common types of email account compromise:
Theft of Data
Hackers target the HR division and steal data from their organization, such as a person's schedule or personal phone number. Then, it is simpler to carry out one of the other BEC frauds and enhance its credibility.
False Invoice Fraud
The scammer tricks you by sending a fake bill that appears to be from a reliable provider your business knows. It could only be one digit off on the account number. They might even demand payment from you while stating that your bank is under audit.
CEO Fraud
Employees receive emails from scammers impersonating their CEO. Scammers can manipulate you into believing that your CEO is instructing you to make a purchase or send money via wire transfer.
Impersonating a lawyer
Attackers take control of an email account at a law firm. After that, they send a bill or a payment link to their clients through email. Despite the email address being genuine, the bank account could be fake.
Account compromise
To access the email account of a financial employee, such as an accounts receivable manager, scammers utilize phishing or malware. They send fake invoices through email to their suppliers, asking for payment to a bogus bank account.
What happens before a Business Email Compromise
- Research is the first step in a BEC scam. Hackers will collect information from your website, press releases, and even social media posts.
- The attacker will then attempt to log into the email account of an executive.
- He or she might use inbox rules or change the reply-to address to prevent the executive from being notified and avoid detection.
- Making an email with a fake domain is another trick. "PayPa1.com" was a well-known spoofing domain that impersonated Paypal.com.
- The attacker will understand scams that work after observing your business communications.
- They may find out who handles wire transfers and can make up a believable situation to ask for money.
Who is the target of a BEC scam?
Any person or organization can be the target of a BEC scam.
- Executives and leaders
- Accounting staff
- HR managers
- New or Entry-Level Employees
How to protect your organization from BEC?
- Use apps like Office 365 or Defender for Office 365 as they can:
- Flag suspicious emails
- Block senders and report emails as spam
- Protect from advanced phishing
- Employ MFA and strong passwords
- Simulate a BEC attack to educate employees on:
- Phishing links
- Spoofed domains
- Fake email addresses and cheques
- To make your email secure and hard to spoof, use email authentication tools such as:
- Sender Policy Framework (SPF)
- Domain Keys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Implement a payment authentication system instead of emailed invoices.
Strengthening your Organization Against BEC
Although BEC assaults are less well-known than ransomware or other types of cybercrime, they still pose a real threat to businesses of all kinds.
Your organization can avoid BEC attempts by combining email security solutions with best practices and employee education. Adding extra security with MFA helps prevent unauthorized access and reduces BEC attack risk.
Do you have any questions about the Business Email Compromise? Contact us here.