You may have heard about the recent business email compromise (BEC) attacks in which FACC and MacEwan University respectively lost €52.8 million and $11.8 million. In both cases, scammers impersonated someone staff members trusted and ingeniously deceived them into transferring funds to a fraudulent bank account.
Unfortunately, that is only the tip of the iceberg, as more than 40,000 BEC incidents have resulted in $5 billion losses in the past three years, according to the FBI. How could scams like that even happen in today’s modern organizations spending a significant portion of their IT budget on security?
Let’s take a look at how BEC scams often manage to fall through the cracks, as well as best practices and technologies to prevent and fight them.
How BEC Scams Work, in a Nutshell
With so many free or low-cost mailbox providers, it is easy for cybercriminals to forge anyone’s email addresses by adding or removing a character. Using that fake identity, typically the one of a CEO or CFO, they ask for a wire payment necessary to complete a time-sensitive project. Another tactic consists of pretending to be a vendor and informing the target of a change in billing details such that money ends up misdirected.
Since requests look credible and appear to come from management or a long-term supplier, employees do not ask questions and comply thinking that they are just doing their job.
Tighten Your Corporate Security Policies
You can significantly reduce cybercriminals’ ability to exploit gaps in your organization by implementing strict corporate security processes. For instance, you could make it mandatory to always ask for a secondary signoff, via either phone call or face to face, before executing requests sent via email and involving large sums of money or highly confidential data.
Additionally, you may define an approval hierarchy with rules based on the value of deals and transfers—requiring the consent of at least two department heads when transactions are above given figures.
Train Your Staff to Detect and Report Suspicious Behaviors
You must ensure that your staff is aware of the latest types of BEC scams as they emerge. In general, a request calling for secrecy and urgency should be seen as a red flag, especially if it is the first of its kind or relating to previously unknown activities and stakeholders. It is also essential that suspicious messages are reported immediately to assess risks at a corporate level as well as warn all employees about newly discovered threats.
Design and Implement a Plan for Mobile Security
Mobile devices are far more likely to be lost, stolen or connected to an unsecured public Wi-Fi router, representing opportunities for cybercriminals to hijack corporate identities. In fact, they can make fraudulent requests sound even more credible when they can access corporate email accounts and access sensitive files.
For that reason, you need security measures in place for staff members who spend a lot of time on the go. These might include two-step authentication and a connection to a virtual private network (VPN) before accessing corporate email addresses or company servers.
Upgrade Your Email Security Tech Stack
The percent of organizations investing in multiple data security tools is expected to reach 60 percent by 2020, from 35 percent today. These solutions include email security frameworks such as SPF and DMARC, which have been widely adopted by email service providers to avoid man-in-the-middle attacks. What’s more, you might use email security solutions to detect spoofed email addresses automatically.
Business email compromise scams pose a significant threat, endangering both individuals and organizations and causing substantial losses. Fortunately, there are ways to prevent and fight these scams combining best practices and email security technology.