Cybercriminals are very aware of how valuable confidential company data is, and as a result, they’re constantly coming up with new ways to attack businesses of all sizes. This could take the form of malware, distributed denial-of-service (DDoS) attacks, and zero-day exploits. Another type of threat is becoming more prevalent these days: business email compromise (BEC).
What is BEC?
BEC is a type of cyberattack designed to impersonate a company’s senior executives to trick employees, clients, and vendors into wiring money, goods, or other services to fraudulent bank accounts.
According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams continue to grow every year, with a 100% increase in the identified global loss between May 2018 and July 2019. The IC3 reported 166,349 incidents worldwide between June 2016 and July 2019, amounting to a total revenue loss of over $26 billion.
How does it work?
A BEC scheme starts with extensive research. First, a hacker will sift through publicly available information about your company from your website, press releases, and social media accounts. They might also look for the names and official titles of company executives and your corporate hierarchy.
Attackers will then attempt to gain access to an executive’s email account by phishing for their login credentials. Once attackers are in, they might alter the inbox rules so the legitimate account owner will not be alerted.
Cybercriminals can also perform domain spoofing, or the use of slight variations in legitimate email addresses to deceive employees. For instance, they can use johndoe@xyz_firm.com to spoof the real address, firstname.lastname@example.org. The difference between the two email addresses can be difficult to detect, especially for people who aren’t trained to spot these tricks.
What are its types?
According to the FBI, there are five types of BEC scams that hackers use:
#1. Bogus invoice
This scam usually affects companies with foreign suppliers. The scheme involves attackers pretending to be suppliers requesting fund transfers for payments for a product or service to a fraudulent account.
#2. CEO fraud
This is where the attacker poses as a CEO or any executive to trick employees into transferring money to an account the formercontrols.
#3. Account compromise
This scheme involves compromising an employee’s email account to use it to request payments from vendors listed in their email contacts.
#4. Attorney impersonation
In this scam, attackers pretend to be a lawyer or someone in charge of important legal matters in the company. Normally done through email or phone, cybercriminals purport that an employee is included in an important case, telling the employee how to deal with the legal issue, which can involve wiring money or sending sensitive company information.
#5. Data theft
Employees under human resources (HR) and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. The data obtained can be used for future attacks.
How can I protect my business from BEC?
Compared to traditional phishing attacks where emails include malicious links or attachments, BEC simply relies on the trust employees give to their organization’s contacts, thus bypassing antivirus software, spam filters, or email whitelisting security measures.
However, you can educate employees and deploy internal prevention techniques, especially for executives and other employees who are most likely to receive phishing scams. Here are some ways you can protect your business from email compromise:
#1. Avoid free web-based email accounts
Using free email accounts can expose your employees’ accounts to spam and other unsolicited emails. Establish a company domain name and use it to create corporate email addresses.
#2. Double-check the sender’s email address
Train your employees to spot email addresses that pretend to be from your organization or your company’s contacts. Show them the difference between a real and a spoofed version so the next time they receive a suspicious-looking email, they will know how to respond. You may register domain names similar to your company’s to prevent domain spoofing.
#3. Use multifactor authentication (MFA)
This technology uses more than one verification method other than a password, such as a one-time code sent to a smartphone, mobile app security prompt, or fingerprint. Enabling MFA makes it harder for cybercriminals to launch BEC attacks because even if they acquire a user’s login credentials, they still won’t be able to log in without fulfilling the succeeding security steps.
#4. Always verify before sending money or data
Make it a standard practice to verify any requests to transfer money or send sensitive data. This can be done by confirming face to face or making a phone call using the previously known number, and not the one provided in the possibly fraudulent email.
Don’t let your business email accounts fall into the wrong hands. Binatech’s managed IT services make it easy and stress-free for you to monitor your company’s email accounts and prevent cybercriminals from infiltrating them for financial gain. Interested? Call us today.