You get an email one afternoon from the CEO of the company you work for telling you that he’s in the process of finalizing a top-secret acquisition and needs you to wire funds ASAP to close the deal. How do you respond?
If you think this scenario seems suspect, you have good instincts. It has all the hallmarks of a business email compromise (BEC) attack – a type of phishing scheme in which hackers take over or spoof corporate email accounts and attempt to trick victims (often employees or clients of the person they’re imitating) into disclosing sensitive information or sending money, according to the Infosec Institute article 5 real-world examples of business email compromise.
BEC, also known as email account compromise (EAC) attacks cost victims more than any other type of cybercrime, according to the 2020 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3). In 2020, the IC3 received 19,369 complaints about BEC/EAC attacks that involved adjusted losses of over $1.8 billion.
Preventing Business Email Compromise Attacks
Given how staggeringly expensive a business email compromise incident can be, it’s advisable to proactively take steps to prevent hackers from utilizing this tactic to defraud your business. Leveraging the following strategies can help prevent business email compromise incidents.
1. Train your employees to recognize BEC scams. Your employee security awareness training sessions should include information on how to spot phishing emails and the procedure for responding to suspicious messages (e.g., reporting them to your security team), according to a public service announcement from the IC3.
While BEC scams used to typically involve a hacker spoofing or taking over the email account of a CEO or CFO and asking for wire payments, they’ve evolved over the years, according to the 2020 Internet Crime Report. Cybercriminals might also pretend to be vendors or lawyers and ask for gift cards or W-2 information.
Other red flags include an emphasis on urgency, requests to keep the interaction secret, and the email coming from a domain name that looks legit but is off by one letter, according to the Deloitte article 5 ways to mitigate the risks of business email compromise attacks.
2. Implement multi-factor authentication (MFA) for all company email accounts. Having MFA in place is a must if you haven’t already deployed it. Also called two-factor authentication, this cybersecurity solution adds an extra layer of protection on top of passwords and makes it much harder for hackers to take over your team members’ email accounts, according to the CSO article 14 tips to prevent business email compromise.
3. Add banners or flags to external emails. Alert recipients in either the subject or the body with a warning banner for emails that come from senders outside of your organization, as advised by the Center for Internet Security (CIS). You can usually achieve this via transport rules for inbound messages on your email server.
4. Install an email filtering solution. With email or spam filtering in place, you can stop messages with common characteristics of phishing scams as well as those that come from suspicious IPs from landing in your staff members’ inboxes, according to the CIS. 5. Establish a formal process for financial transactions that involves verification in person or via phone call. The IC3 advises creating a workflow for all payments that involves calling a known phone number or confirming in person that the request is legitimate.
6. Stop utilizing legacy email protocols. Older protocols such as IMAP, SMTP and POP can give hackers a way to get around MFA, according to CSO. 7. Block automatic forwarding to external email addresses. This is a common part of many BEC scams, according to the IC3. After taking over an account, hackers might set up automatic forwarding of any messages containing financial information to an external email address.
Avoiding BEC Headaches
Ultimately, business email compromise schemes are common and incredibly costly. It makes sense to invest in preventive measures and avoid the huge headache (financial and otherwise) that’s in store for your organization if one of your staff members falls for a fraudulent message. If you have any questions about how to prevent business email compromise, our security team is available to assist you.
Contributed blog courtesy of Stratosphere Networks and authored by Kevin Rubin, president and CIO of Stratosphere Networks. Read more contributed blogs from Stratosphere Networks here.
