Combatting Business Email Compromise (BEC) Risks
An old scam that keeps reinventing itself with new victims. Don’t become one!
You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts but first need their prey to send them money to make it all work to plan. It’s an oldie but a goodie. Unfortunately, it’s also one that keeps reinventing itself, along with another batch of unwitting victims. In fact, it happens so often, BEC scams currently outdo ransomware as the most damaging cyberattack in the world.
According to the FBI’s Internet Crime Complaint Center (IC3), in 2021, losses from BEC exceeded $2.4 billion. Using tactics that play off real-time world events, such as COVID-19 or the trust of established interpersonal relationships, criminal actors have managed to stay ahead of the good guys with increased sophistication and swiftness. A few examples:
- Healthcare providers were bilked by impostors posing as trusted vendors with access to much-needed personal protection equipment.
- A large social media firm handed over personal payroll information about employees to an individual they thought was their CEO.
- A nonprofit was fooled into transferring a large loan to a business partner right into the hands of the threat actor.
To protect yourself and your business from these types of attacks, employee education is nonnegotiable. Let’s say someone in your accounts payable department receives an email from a business partner requesting you alter established wire transfer information. Is your staff trained to recognize this request as a red flag? Before acting on the request, the employee must confirm directly with their point of contact the details of the requested change.
It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised ruse.
From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection to identify malicious behavior, alert to the threat, and inform the correct response and remediation measures. This would include:
Monitoring for anomalous or unusual behavior, both on-premises and in the cloud
BEC threats rely on looking like normal user activity. With the increase in remote work, companies are relying more on cloud services such as Microsoft Office 365, which puts data into a complex environment that is often underprotected. Once threat actors get access to Office 365, accessing the juicy data is just a few clicks away. And traditional perimeter security tools, such as firewalls, aren’t able to monitor suspicious activity in cloud-hosted applications like Office 365, SharePoint, or OneDrive.
The same applies to monitoring of your endpoints for suspicious activity. If a threat actor slips past perimeter defense and acquires user credentials, it will be difficult to identify threats that appear as typical activity.
Having enough IT security staff
When something nefarious goes down, you need to know immediately. Too many businesses lack the ability to dedicate staff to 24/7 monitoring of their environment. If an alert goes off at 1 a.m., the time lost until someone notes it and makes sense of it could be the difference between defense of the business or catastrophic damage. Managed threat detection and response can be a force multiplier if you are unable to monitor your environment 24/7.
While there are many aspects to improving and deepening your defensive strategy, the following from the FBI act as effective tips to share with your employees to elevate everyone’s awareness of how to avoid business email compromise (BEC) attacks.
- Be skeptical: Last-minute changes in wire transfer instructions or recipient account information must be verified.
- Don’t click it: Verify any changes and information via the contact on file. Do not contact the vendor through the number provided in the email.
- Double check that URL: Ensure the URL in the email is associated with the business it claims to be from.
- Spelling counts: Be alert to misspelled hyperlinks in the actual domain name.
- It’s a match: Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s coming from.
Lastly, pay close attention to the fine details. Often there are clues with business email compromise:
- An employee who does not normally interact with the CEO receives an urgent request from them.
- Data shows an employee is in one location at 1 p.m. but halfway around the globe ten minutes later.
- Active activity from an employee who is supposed to be on leave.
If you see something, say something. If something looks awry, report it to your managed service provider or IT security supervisor. And if you have been a victim of BEC, file a detailed complaint with IC3.
To learn more about business email compromise (BEC) threats and defense against them, give us a call.