The Internet has become the driving engine of interaction between companies and customers, with email remaining the most popular tool for formal business communication. Unfortunately, it’s also the most fragile way to exchange messages and sensitive data. Email is prone to phishing, and spam attacks, with Business Email Compromise (BEC) causing heavy financial losses and reputational damages.

We’re amid a digital and technological transition that disrupts economies and changes the very fabric of society. The latest developments in Artificial Intelligence and the post-pandemic challenges push businesses to enhance their online presence and seek new opportunities in unchartered areas. At the same time, cybercriminals are plotting new schemes to perpetrate devastating scams and slow down progress.

This article tackles BEC fraud and provides tips on protecting your business against cyber attacks. Let’s dive straight into the matter!

What is a Business Email Compromise?

Business Email Compromise (BEC) is an elaborate phishing scam in which fraudsters use social engineering techniques to trick victims into disclosing sensitive data or making payments based on deceitful instructions. 

A typical phishing scam begins with a fake email from an allegedly real company such as your local bank, internet provider, or gaming platform. It looks professional and doesn’t raise suspicions. The sender urges you to change your password, reveal your credentials, or transfer money. 

Here’s where social engineering kicks in. The attackers pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Through clever manipulating tactics, they can deceive even the most qualified employees. Just ask Google and Facebook.

In arguably the most resounding social engineering attack of all time, Evaldas Rimasauskas and his associates persuaded Google and Facebook employees to pay invoices for goods and services that the manufacturer genuinely provided to a fake account defrauding the Big Tech companies of over $100 million. 

If BEC scams can happen at the level, imagine how susceptible is the rest of the business landscape where employees lack cyber security awareness and vigilance. The costs and damages resulting from BEC attacks rise to billions over a calendar year. Here are some stats to make you shiver:

BEC scams in numbers

  • According to the FBI, BEC attacks remain the costliest cybercrime, with losses amounting to $43 billion worldwide between June 2016 and December 2021.
  • 65% of organizations faced BEC attacks in 2020
  • One in five employees fall for phishing scams and respond to suspicious emails.
  • The most common BEC scam is invoice or payment fraud.
  • The average amount requested in wire transfer BEC attacks was $72,000, while the maximum loss reached $999,600 in 2021.

As you can see, BEC attacks are sweeping the world with increased frequency, so it’s imperative to spot them from the get-go. Here’s how to do it in five efficient ways.

Know your enemy and their schemes

Criminals seem like geniuses if they pull off a massive scam, but careless employees should take all the credit instead. Most BECs rely on the same underlying tactics and manipulations, so detecting them should come as second nature after learning the common BEC strategies.

The biggest red flag is a false sense of urgency. Attackers, usually posing as executives, supervisors, or chief accountants, send spoof emails to victims urging them to wire money to close a business deal. Here’s a classic example:

Hi Ben,

I’m meeting right now with [Company Name]. It seems that our last invoice went to their old account. If you don’t have their new account details, I’ve provided them below. Please pay NOW, so I can tell them it’s done.

Account No: 94567868900

Sort Code: 45-20-30

Thanks!

Andrew, CAO of [Your Company Name].

Seems pretty convincing, right? But what gives them away is the wrong domain name. You should always check the sender’s address before replying. At first glance, the message comes from a credible domain, but it’s slightly altered to catch you off guard. So instead of @microsoft.com, the fake address could spell @micr0soft.com or @microsott.com.

Another common BEC tactic is vendor impersonation. It involves scammers spoofing one of the company’s vendors. This attack is trickier because the sender’s details are correct, and the transaction seems legit. The bad news is that scammers have hacked into the vendor’s email account. The good news is that you can prevent fraud by double-checking the vendor’s account number because it will differ from the usual one. If something feels off, contact the company by phone and ask them to confirm the transaction.

Educate your Employees to spot BEC Attacks

Without proper training on cybersecurity awareness and BEC scams, you will fall victim to them sooner or later. Employees must develop a strong grasp of phishing emails and be fully aware of the enormous risks and implications of these attacks. Run regular phishing drills and remind employees to verify the authenticity of emails, especially those that are suspicious. Here’s what they should pay attention to:

  • The tone of the message. If urgent, they should take a step back and carefully inspect the email address and contents.
  • The senders’ information doesn’t match the email address.
  • Spelling mistakes, typos, and poor grammar. 
  • Unsolicited links and attachments

Use Strong Passwords and Enable Two-Factor Authentication

A password policy ensures that all users use strong passwords (i.e., at least 12 characters with upper- and lower-case letters, numbers, and special characters). Two-factor authentication (2FA) is an additional layer of security to prevent unauthorized access to an email account in the event that the password has been compromised.

Get technical. Protect your emails with anti-fraud measures

One of the most efficient ways to safeguard against email attacks is to install a secure email gateway (SEG). Such a device or software monitors email activity and stops spam, malware, and viruses from reaching your inbox. SEG can also detect and block phishing domains, and you can add common keywords used in BECs, and flag them as suspicious.

Another security measure is to use email authentication methods such as  SPF, DKIM, and DMARC.

  • With Sender Policy Framework (SPF), you can add a DNS record to authorize the IP addresses that can send emails on behalf of your domain.
  • DKIM stands for DomainKeys Identified Mail and works with SPF to detect forged emails. DKIM signs your outbound emails so that recipients can verify their legitimacy.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC uses SPF and DKIM authentication protocols to verify emails sent from the organization’s domain.

Encrypt emails and documents with a  S/MIME certificate

Email certificates follow the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard and provide authentication and integrity.

S/MIME enables end-to-end encryption to all outgoing emails and blocks email spoofing attempts by confirming the sender’s identity and ensuring that the message content has not been altered.

With S/MIME the transmission is no longer in plain text and vulnerable to man-in-the-middle attacks. Best of all S/MIME certificates are compatible with modern e-mail clients and are FDA ESG compliant. You can get a S/MIME certificate from SSL Dragon. We have options for individuals and companies of all sizes.

What to do if you fell for a BEC scam?

Oh no, you think you may have responded to a BEC email. Don’t panic just yet! Here’s what you should do:

  1. If your company has BEC security protocols, follow them as per your training guidelines.
  2. Notify your IT department immediately.
  3. Call your bank and ask them to suspend all transactions
  4.  Review your account statements for any suspicious activity.
  5. Report the incident to the relevant authorities. In the United States, contact your local FBI field office to report the crime.

Final Thoughts

BEC scams will be around as long as the Internet exists. The main reason why they’re so successful is that human nature is prone to manipulations and covert tactics. BECs are more psychological than technical. They follow a proven blueprint that heavily relies on carelessness, submission to authority, and lack of cyber security awareness.

We’ve shown you how to spot and prevent BEC scams before it’s too late. Now it’s your turn to take action and implement them for general email security and whenever you open a new message.

Safeguard vector created by freepik – www.freepik.com