Protection Against Business Email Compromise

August 16, 2023 by
Mark Nash

A consequence of the digital age is that email has become an essential part of our daily lives. Many people use it for various purposes; however, one of the most popular uses is for business transactions. Another consequence of our increasing dependence on digital technology is the rising growth of cybercrime. A major cyber threat facing businesses today is Business Email Compromise (BEC), and it has been growing in frequency. BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat.

What is Business Email Compromise (BEC)?

BEC is a type of scam in which criminals use email fraud to try and exploit victims. They especially target those who perform wire transfer payments. The scammer pretends to be a high-level executive or business partner and sends emails to employees, customers, or vendors requesting them to make payments or transfer funds in some form or send sensitive information. According to the FBI, BEC scams cost businesses around $1.8 billion in 2020. That figure increased to $2.4 billion in 2021. These scams can cause severe financial damage to businesses and individuals and harm their reputations.

How Does BEC Work?

BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organization and its employees and gains knowledge about the company's operations, suppliers, customers, and business partners. Much of this information is freely available online on sites like LinkedIn, Facebook, and organizations' websites. Once the attacker has enough information, they can craft a convincing email designed to appear to come from a high-level executive or a business partner. The email will request the recipient to make a payment or transfer funds, usually emphasizing the request being for an urgent and confidential matter, such as a new business opportunity, a vendor payment, or a foreign tax payment. The email will often contain a sense of urgency, compelling the recipient to act quickly before they can review the email to determine if it is legitimate. The attacker may also use social engineering tactics, such as posing as a trusted contact or creating a fake website that mimics the company's site in order to make the email seem more legitimate. If the recipient falls for the scam and makes the payment, the attacker will make off with the funds.

How to Fight Business Email Compromise

BEC scams can be challenging to identify and prevent, but there are measures businesses and individuals can take to reduce the risk of falling victim to them.

Educate Employees

Organizations need to educate their employees about the risks of BEC and provide training on how to identify and avoid these scams. Employees need to be aware of the tactics used by scammers, such as urgent requests, social engineering, and fake websites. Training should also include education about email account security, including:

  • Checking their sent folder regularly for any messages they don't recognize
  • Using a strong email password with at least 12 characters and a mix of upper and lower case letters and numbers
  • Changing their email password regularly
  • Storing their email password in a secure manner
  • Notifying an IT contact if they suspect a phishing email

Enable Email Authentication

Organizations should implement email authentication protocols, including:

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

These protocols help verify the authenticity of the sender's email address, reduce the risk of email spoofing, and help to keep your emails from ending up in junk mail folders.

Deploy a Payment Verification Processes

Organizations should deploy payment verification processes, such as two-factor authentication, or require a confirmation from multiple parties. These security measures help ensures that all wire transfer requests are legitimate. It's always better to have more than one person verify a financial payment request.

Check Financial Transactions

Organizations should review all their financial transactions, keeping watch for irregularities, such as unexpected wire transfers or changes in payment instructions. It is best practice to perform these reviews on a schedule so they are not forgotten.

Establish a Response Plan

Organizations should establish a response plan for BEC incidents. Your incident response plan should include procedures to:

  • Reporting the incident to IT
  • Freeze the transfer if it has been made
  • Notify law enforcement of the incident

Use Anti-phishing Software

Businesses and individuals can use anti-phishing software to help detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools become more effective. However, the use of AI in phishing technology is also increasing. Businesses must be vigilant and take steps to protect themselves.