BEC Attacks: How to Protect Yourself

According to the FBI’s Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) schemes have grown at a jaw-dropping rate of 2,370% since 2015. With more than 40,000 domestic and international incidents, these types of scams have cost more than a staggering $5.3 billion in actual and attempted losses. To help you keep one step ahead of this multi-billion-dollar threat, we put together a quick walkthrough of what a business email compromise is, how it works, and how you can best protect your organization.

What is a BEC attack?
A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors. Once in, they request a seemingly legitimate business payment. The email looks authentic, seems to come from a known authority figure, so the employee complies. Typically, the fraudster will ask for money to be wired or checks to be deposited, whatever the usual business practice. However, this scam has evolved not even to involve money. Instead, the same technique is used to steal employee’s personally identifiable information, or wage and tax forms (ex. W-2). 

What can I do to stop an attack?
While some BEC attacks involve the use of malware, many rely on social engineering techniques, to which antivirus, spam filters, or email whitelisting are ineffective. However, one of the most useful things you can do is to educate employees and deploy internal prevention techniques, especially for frontline staff who are most likely to be recipients of initial phishing attempts. Below are some self-protection strategies your business can employ:
  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create company e-mail accounts in place of free, web-based accounts.
  • Enable multi-factor authentication for business email accounts. This type of authentication requires multiple pieces of information to log in, such as a password and a dynamic pin, code, or biometric. Implementing multi-factor authentication makes it more difficult for a cybercriminal to gain access to employees’ email, making it harder to launch a BEC attack. 
  • Don’t open any email from unknown parties. If you do, do not click on links or open attachments as these often contain malware that accesses your computer system.
  • Secure your domain. Domain spoofing uses slight variations in legitimate email addresses to deceive BEC victims. Registering domain names similar to yours will go far in protecting against the email spoofing at the heart of successful attacks. 
  • Double-check the sender’s email address. A spoofed email address often has an extension similar to the legitimate email address. For example, a fraudulent instead of the legitimate
  • “Forward,” don’t “reply” to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures you use the intended recipient’s correct e-mail address.
  • Don’t overshare online. Be careful what you post on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
  • Always verify before sending money or data. Make it standard operating procedure for employees to confirm email requests for a wire transfer or confidential information. Confirm face-to-face, or through a phone call using previously known numbers, not phone numbers provided in the email.
  • Know your customers and vendors habits. If there’s a sudden change in business practices, beware. For example, if a business contact suddenly asks you to use their personal email address when all previous correspondence has been through company email, the request could be fraudulent. Verify the request through a different source. 
BEC attacks aren’t as well-known as ransomware or other forms of cybercrime, but it’s nonetheless a very significant threat to organizations of all sizes. Coupling email security measures with education and best practices can help your company avoid BEC attempts. However, if your business is targeted, remember to alert your financial institution and IT department immediately, and file a complaint with the IC3.