What is Business Email Compromise (BEC) and how to stop it
Watch video here
Business Email Compromise (BEC), the biggest Cyber security threat for SMEs. As the FBI reported it costs businesses $12bn between December 2016 and May 2018 alone. The impact could have been much higher when you think about the many businesses that don’t come out and say they were impacted.
What is Business Email Compromise?
As the name suggests it is an email compromise. An attacker would compromise an email account within a business, usually of an executive team. Sometimes, the attackers spoof the executive’s email account to send emails. Once the email account is compromised they will monitor the activity and send the emails to the finance team asking for funds transfer. There are a few variations of these attacks.
- CEO Fraud
- Supply chain fraud
- Vendor email compromise
As described above, CEO fraud is straightforward. CEO’s email gets compromised or spoofed and they will send the emails to the finance department asking for funds transfer.
Supply chain fraud is where a supplier’s email account gets compromised, the activity being monitored and the attacker sends an email at the time of funds transfer asking for the funds to be transferred to a new bank. They usually send an email to recipient saying that they just changed the bank details. There have been numerous businesses suffered from this.
Another example of Supply chain fraud is between a solicitor and the consumer. Solicitors email accounts get compromised, the attacker waits for the right time and asks the consumer to transfer money into a different bank. Imagine losing all your life savings because your solicitor’s email account got compromised.
Now you might ask, how do they compromise the email accounts? The answer is a sophisticated phishing attack. They send Phishing emails asking the recipient to reset their office 365 password, Login to LinkedIn, PayPal, etc… Most people use the same password across multiple services you see. Once they compromise the account they usually create forwarding rules so that the recipient doesn’t see the responses.
There are many examples for Supply chain fraud and I will finish off with this unique example. Imagine an employee’s email account gets compromised, the attacker sends HR an email a day before payday saying that they changed the bank details and deposit the payment into the new bank.
Vendor email compromise is similar but once the email is compromised the attacker will send a fake invoice to everyone in their contacts hoping someone will clear the invoice. Guess what, there are businesses that do.
How do you avoid being a victim of Business Email Compromise (BEC)?
There are a few simple steps you can take to avoid BEC in most cases. They are:
- User education: Train your users (you can find out more here)
- Business Process for Payments
- Basic email security controls
User education is the key. Make sure your users are aware of these threats and make sure they double check the emails especially when it is a request for payment. There are a number of Security Awareness Platforms available to help you. We have other resources on these so please check them out here or give us a call and we are happy to help point you in the right direction.
Business process for payments: Any payment request or the bank details update request should be authorised by at least two people in the business. Large companies are usually good with this but SMEs struggle the most.
Basic email security controls should be enabled. It will make it easier to stop these attacks and also for users to detect these emails easier. Some of the controls include:
- Enable two-factor authentication
- Encourage strong passwords
- Enable anti-spoofing
- Deploy a spam filtering solution
- Append the subject of all external emails with a tag ‘[EXTERNAL]’ (Watch the video below with some tips on how to do this)
- Create an alert for when users create a forward rule on their mailbox
We hope the above article has been informative. If you need help with tightening your security and protect your business please use the chat box below or give us a call on 01224 516181 to speak to one of our experts.
- What is Phishing and what can you do to prevent it?
- Found malware, now what do you do?
- Data breaches and other scary 2019 events- Special Halloween post
- How to get your cyber security budget approved by the board
- The TechForce Sponsorships
- How to start a career in the security industry
- Protecting your business in the cyber security era
- Secure Your Supply Chain
- Case study: British Airways Fined £183.4million for Data Breach
- The Silver Bullet in Cyber Security
- Is it a good idea to build your own Security Awareness Training platform?
- Fake invoice email scams and Office 365
- How to apply for the Cyber Essentials Voucher Scheme
- 5 things to consider when selecting a Security Awareness Training (SAT) platform
- 2 Years, Marmite and £600,000
- Everything you need to know about Cyber Essentials
- Cyber Essentials Demystified
- How to choose a Security Awareness Platform
- How to pick the best Antivirus software for your business
- 6 Quick and Easy Email Security Tips for Dummies
- How to carry out a baseline email phishing test
- Hackers On Tour
- How to share passwords safely in your Small Business
- In the news - Warning. North Sea firms likely already attacked
- 10 Steps to Cyber Security
- 5 Reasons why you should consider having two monitors
- What is Email phishing & why you need security awareness training in your business
- 6 Top Tips to Prevent Cyber Attacks
- How to choose the best IT Service Provider for your business
- How to choose the best Antivirus software for your business
What is Phishing and what can you do to prevent it?
Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive informationMore
Found malware, now what do you do?
You’ve found some malware on your computer, so what should you do next? What’s the best approach? We’ll run through a few things that will greatly assist in identifying and isolating the malwareMore
Data breaches and other scary 2019 events- Special Halloween post
It’s that time of the year again, where the ghosts come out of the cupboard and the witches cackle. These are the scariest parts of cyber security from 2019 and the scale of how scary they actually are.More
How to get your cyber security budget approved by the board
There’s a few ways to improve the approach to the company board that will significantly help to get them onboard with improving cyber security, especially when linking this to risk mitigation.More
FOR LATEST UPDATES SUBSCRIBE HERE: