(August 5, 2021) Although ransomware continues to make headlines, business email compromise (BEC) remains one of the costliest cybercrimes. The FBI’s Internet Crime Complaint Center (IC3) received nearly 20,000 complaints involving BEC in 2020, with associated losses of $1.8 billion. In a recent report, the FBI noted a significant increase in BEC attacks in 2021 as employees continue to work from home due to the COVID-19 pandemic.
The threat of business email compromise is not going away. BEC is a huge and growing problem that organizations should address in their cybersecurity strategies and operational policies. A “human firewall” of trained employees can help ensure that a BEC attack does not result in financial losses.
What Is BEC?
BEC attacks use email fraud to trick victims into sending money or sensitive information to the attackers. According to a recent report from Cybersecurity Insiders, 71 percent of BEC attacks use “spoofed” email accounts or websites in highly targeted attacks. Almost half (49 percent) spoof an identity in the display name, typically a company executive or someone with authority to request a wire transfer.
The attackers often research the company’s organizational hierarchy through social media, then send the spoofed email to someone in finance or accounting who regularly handles such requests. Victims think they’re getting an email from the CEO or CFO and their natural instinct is to transfer the money.
The finance department isn’t the only target. Fraudsters are also sending BEC emails to HR, with bogus requests to change an employee’s direct deposit account for salary or expense payments.
In other cases, the attackers will find out the names of legitimate vendors and business partners that the company wires money to regularly. The attackers will pose as the supplier and send an invoice, requesting that payment be transferred to an account controlled by the fraudsters. Companies that do business overseas are often targeted.
How to Avoid Becoming a Victim
What can your organization do to avoid falling victim to BEC? Secure email gateways and other tools that block spam and phishing emails are not as effective at detecting BEC attacks. The DMARC protocol can prevent domain name spoofing and ensure that the content of emails has not been compromised, but it’s not foolproof.
The key is to educate employees and executives about the risk and how to spot fraudulent emails. Often, the emails come from a domain that’s slightly different from the company’s real domain or have a reply-to address that does not match the sender’s address. BEC attacks rarely have the bad grammar and spelling associated with phishing emails, but they may use European date formats or sentence construction that suggests a non-English speaker.
Even if the email is flawlessly constructed, employees should be suspicious of urgent requests from executives to wire money and to keep the request confidential. They should also question vendor requests for payment that don’t go through normal channels.
Most importantly, organizations should establish policies and procedures for verifying wire transfers. Employees should always be suspicious of email requests and use a different channel — phone, fax or in person — for confirmation. The account number for the wire transfer should be checked and verified. Banks are also establishing more stringent protocols around wire transfers to help detect fraud.
Business email compromise doesn’t receive as much press coverage as ransomware, but it is still a significant threat. Employee training and education along with establishing a strong “human firewall” is key to helping protect your organization from fraud associated with BEC.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile
