Skip to main content

Fighting Business Email Compromise Risks

Anthony Allen
Posted on 16 April 2024

You’ve probably been the recipient of the classic business email compromise (BEC) scam; a prince who wants to deposit money in your bank account, but first needs you to send them money to make it all work to plan. It’s an oldie, but a goodie. Unfortunately, it’s also one that keeps being reinvented, along with another batch of unwitting victims. It happens so often that BEC scams currently outrank ransomware as the most damaging cyberattack in the world.

According to the FBI’s Internet Crime Complaint Center (IC3) in 2021, losses from BEC exceeded $2.4 billion in the United States. Here in the UK, 79% of businesses that suffered a cyber attack reported the attack type was phishing and 31% of those identified that impersonating someone else in the business was the attack vector. Using tactics that use real-time world events like COVID-19 or the trust of established interpersonal relationships, criminals have managed to stay ahead of defences with increased sophistication and swiftness.

A few notable incidents include:

  • A healthcare provider was tricked by criminals posing as trusted vendors with access to much-needed personal protection equipment;
  • A large social media firm handed over personal payroll information about employees to an individual they thought was their CEO;
  • A non-profit was fooled into transferring a large loan to a business partner, right into the hands of the threat actor.

Employee education is essential to protect yourself and your business from these types of attacks. If someone in your accounts payable department receives an email from a business partner requesting you change established wire transfer information, make sure your staff is trained to recognise the request as a red flag and confirm directly with their point of contact. It might seem like second nature, but it's easy to miss a well-disguised ruse when people are busy and working against deadlines.

It's also important to ensure you have a layer of threat detection in place to help identify malicious behaviour, alert you of the threat, and inform the correct response and remediation measures. This includes:

  1. Monitoring for anomalous behaviour both on-premises and in the cloud.
    BEC threats rely on looking like normal user activity. With an increase in remote work, businesses rely more and more on cloud services like Microsoft 365, which puts data into a complex environment that's often under-protected. Once bad actors get access to this system, getting to the juicy data can be just a few clicks away. Traditional perimeter (or edge) security tools such as firewalls aren't able to monitor suspicious activity in cloud-hosted apps like Microsoft 365, SharePoint, or OneDrive. The same applies to monitoring your endpoints for suspicious activity. If a bad actor slips past your defences and gets user credentials, it will be much more difficult to identify threats that appear as typical activity.

  2. Having enough IT Security staff.
    When something nefarious happens, you need to know immediately. Small to medium businesses cannot often dedicate staff to 24x7 monitoring of their environment. If an alert goes off at 1 a.m., the time between the alert going off and someone seeing and making sense of it could be the difference between defending against the attack, and catastrophic damage. Managed threat detection and response can be a force multiplier if you aren't able to monitor your environment 24x7.

While there are many aspects to improving your defence, these simple tips are effective to share with employees to help raise everyone's awareness of how to avoid business email compromise attacks:

  1. Be skeptical. Last-minute changes in transfer instructions or recipient account information should be verified.
  2. Don't click it. Verify any changes and information via the contact on record - never contact the vendor through the number provided in the email.
  3. Double-check that URL. Make sure the URL in the email is associated with the business it claims to be from.
  4. Spelling counts. Be alert to misspelt hyperlinks in the actual domain name. Small changes like using vv instead of w are common in trying to trick people into clicking links.
  5. It's a match! Verify the email address used to send emails, especially when using a mobile or handheld device, by making sure the sender's email address appears to match who it's coming from.
  6. Pay attention. Often, there are clues to business email compromise attempts. For example, an employee who doesn't usually interact with the CEO suddenly receives an urgent request from them.

Other clues that suggest a compromise could be the following:

  • Data shows an employee is in one location at 3 p.m., but halfway around the world 10 minutes later.
  • Activity from a member of staff who is supposed to be on leave.

If you see something, say something. If something looks fishy, report it to your managed service provider or IT Security supervisor. It's better to say something and raise awareness than say nothing and someone else falls victim to the scam!

 

You can book a call with us to talk about how we use our security suite to protect against BECs and many other types of cyber attacks.