Email continues to play a key role in our personal and working lives. However, as the digital world evolves, so too have cyber threats. In the realm of email, Business Email Compromise (BEC) is one of the key routes that cyber criminals use to exploit people and businesses for personal gain.
BEC is important to pay attention to, as these attacks have been on the rise. BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat. BEC includes phishing, which is one of the most common and successful forms of cyber attack that are used against businesses.
What is Business Email Compromise (BEC)?
BEC is a type of scam where criminals use email fraud to target victims to undertake an action. The target could be an individual or a business.
The scammer will try to pose as an authoritative figure to create a false sense of trust and urgency. For example, they may pretend to be an executive or another business. Scammers try to send emails to employees, customers or vendors in order to exploit them into giving sensitive information or to make a payment.
According to the FBI, BEC scams cost businesses around $1.8 billion in 2020. This figure increased to $2.4 billion in 2021. These scams have the potential to cause severe financial damage to businesses and can harm their reputations greatly.
How Does BEC Work?
BEC attacks are undertaken in many forms, ranging from rudimentary emails to more sophisticated and convincing attacks. A sophisticated attacker will firstly research the target organization and its employees, which will enable them to craft an attack that stands a chance of success.
Scammers will begin to collect intelligence via free online sources, such as LinkedIn, the websites of organizations, and Facebook. Once an attacker has enough information, they can create a convincing email that will try to impersonate an authoritative figure to the recipient.
If the email makes it into the recipient’s inbox, they will open it to find an urgent request, such as to give certain details or to click on a link. These attacks will often use social engineering techniques to create a false sense of trust, this could be a convincing email address or a website that successfully mimics the website of the impersonated person’s company.
If the recipient falls for the scam and takes the requested action, then it is likely there will be a compromise of sensitive information and/or a loss of funds.
How to Fight Business Email Compromise
BEC scams can be challenging to prevent. However, there are measures that businesses and individuals can take to minimize the risk of falling victim to them.
Educate Employees
Organizations should educate their employees with user awareness training about the risks of BEC. This includes providing user awareness training to identify and avoid these scams. Employees should be aware of the tactics used by scammers. For example, urgent requests, social engineering, and fake websites.
Training should educate users about ensuring email account security, including:
- Checking the sent folder regularly for any strange messages
- Using a strong email password with at least 20 characters, including capital letters and special characters
- Ensure that users lock their computer when it is not in use, and that they log out of webpages that use their username and password for verification
- Changing their password whenever a breach is suspected
- Storing their email password in a secure, encrypted manner, like a password manager. Do not store passwords in word documents or excel spreadsheets
- Ensuring that all passwords are unique and are not shared with any other websites or people
- Enabling Multi-Factor Authentication for every login
- Notifying an IT contact if they feel that an email is suspicious
Enable Email Authentication
Organizations should implement email authentication protocols.
This includes:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
These protocols help to verify senders’ addresses and reduce the risk of email spam. Another benefit is that these measures will reduce spam-worthy emails from landing in your inbox.
Deploy a Payment Verification Processes
A payment verification process provides a final safeguard in the case where a user has fallen for a scam. Payment verification can include two-factor authentication and especially ensuring that confirmation is made by multiple parties.
This helps to ensure that all wire transfer requests are legitimate. It’s always better to have more than one person to verify a financial payment request. Also, by designating a secondary person to review transactions before processing the payments you can help to cut down the chances of fraud.
Check Financial Transactions
Organizations should check all financial transactions regularly to look for irregularities, such as unexpected wire transfers or changes in payment instructions. With a schedule, you can ensure this is carried out regularly and is being monitored for oversight.
Establish a Response Plan
An incident response plan for BEC incidents will give a plan of action in the case where these attacks are successful. This can include how to report the incident, measures for freezing or taking back the transfer, as well as a process for notifying legal authorities.
Use Anti-phishing Software
Businesses can use cyber security tools like anti-phishing software to detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools will become more effective at detecting phishing emails.
Tier3 IT Edmonton: Accelerating AI Transformation for Local Businesses
Tier3 IT is your go-to for expert IT support and AI strategy in Edmonton’s dynamic business landscape. We provide local businesses with essential cybersecurity and strategic insights to harness AI effectively and ethically.
Our focus is on ethical AI use, continuous learning, and stringent security, enabling Edmonton businesses to unlock efficiency and innovation. We’re dedicated to transforming technology into measurable outcomes for your company. Experience a transformative, no-obligation chat with our President, Jesse, offering fun, insightful guidance on aligning technology with your business objectives.
Choose Tier3 IT Edmonton to spearhead your AI journey, securing your position at the forefront of Edmonton’s technological evolution.
