Business Email Compromise: Unmasking Threats to Your Inbox
Cybercriminals recently stole $5.9 million from a public school in Connecticut. How? They gained access to the COO’s email account. From there, the bad actors monitored conversations within the email account and then impersonated the COO to request vendor payments to a fraudulent bank account.
With the help of the FBI, the school was able to recover $3.6 million. That leaves the public school system – including its teachers, staff, and students – $2.3 million short for the school year.
This situation is just one example of business email compromise.
What is Business Email Compromise?
Business email compromise (BEC) is a scam where cybercriminals send an email from a seemingly legitimate source requesting money or sensitive information. A BEC is also known as an email account compromise (EAC) in non-business situations.
Scammers may spoof an email account or website, send spearphishing emails, or use malware for financial gain.
Examples of Business Email Compromise
BEC can happen in a variety of different ways, so let’s dive into a few examples of how it may look:
- CEO Fraud: A hacker infiltrates the email account of a CEO or high-ranking executive in a company and assumes their identity to illicitly demand wire transfers or confidential data from staff members.
- Invoice Fraud: Cybercriminals manage to access an employee’s email account and manipulate invoices or payment instructions, rerouting funds to their own accounts instead of legitimate vendors.
- Vendor Impersonation: Bad actors assume the identity of a trusted vendor or supplier’s email account, cunningly seeking alterations in payment methods or sensitive information, thereby deceiving the organization into transferring money to fraudulent accounts.
- Employee Payroll Diversion: Hackers breach the email account of an HR or finance employee and tamper with payroll particulars in order to redirect an employee’s salary to an alternate bank account.
- Real Estate Scams: BEC attackers specifically target real estate transactions by posing as real estate agents or title companies, skillfully diverting closing funds towards their own accounts.
All BEC scams have one thing in common: they want to steal your money or sensitive information that can help them steal money.
How Can You Defend Against Business Email Compromise?
There are many ways you can protect your business from BEC scams, including the following:
Employee Training
Conduct regular cybersecurity awareness training for employees to educate them about phishing emails, social engineering tactics, and the importance of verifying email requests for sensitive information or transactions.
Enable Multi-Factor Authentication (MFA)
Enable MFA for email and critical systems to fortify security measures, thwarting unauthorized access attempts by adding an additional layer of protection.
Validate Payment Requests
Establish a rigorous verification process for financial transactions and payment requests, including scrutinizing the legitimacy of requests made via email or alterations in payment instructions.
Enforce Robust Password Policies
Implement strict password policies that require regular password changes. Discourage the use of easily guessable passwords while encouraging the use of strong passphrases.
Monitor Account Activity
Continuously monitor email accounts for any suspicious activities such as multiple login attempts or modifications in account settings.
Implement Strict Access Controls
Restrict access to sensitive systems and data, granting privileges solely to employees who necessitate it for their specific roles.
Prepare for Incidents
Develop a comprehensive incident response plan that is regularly tested to ensure swift and effective responses in case of a BEC attack. Clearly define roles and responsibilities within the incident response team.
Verify Vendor Identities
Thoroughly verify the identities of vendors or suppliers before engaging in any business transactions.
Safeguard Email Communication
Utilize encryption techniques and secure email gateways to safeguard sensitive data during transmission, ensuring unauthorized individuals cannot gain access to confidential information.
Strengthen Email Defense and Verification
Employ cutting-edge email filtering solutions, like Verve IT’s Spam Protection, to detect and block phishing emails. Implement email authentication protocols such as DMARC, SPF, and DKIM to prevent email spoofing.
Stay Vigilant to Defend Against Business Email Compromise
It’s essential for organizations to regularly update their security measures and educate employees about the risks associated with BEC and similar cyberattacks.
If you want help protecting your business from BEC and other threats, consider our Managed IT services, which include Spam Protection, other cybersecurity measures, and more.