Business email compromise (BEC) scams are not going away and are still the “easiest” way for cybercriminals to infiltrate your network. These cybercriminals target business owners and employees in order to attempt to defraud a company, its customers, or its partners. In these types of scams, an attacker will pretend to be a trusted entity by spoofing a company email account. They then trick employees into revealing sensitive information or performing wire transfers.
Types of BEC Scams
The most common BEC scams usually target employees with access to company finances to try to get the contact to transfer money or reveal sensitive data. Types of BEC scams include:
- False invoice schemes (often posing as a foreign supplier)
- CEO fraud (posing as a CEO or high-level employee)
- Account compromise (attackers hack email accounts and use them to request payments)
- Attorney impersonation (email or phone calls from attackers pretending to be a lawyer or law firm representative)
- Data theft (targeting HR and bookkeeping employees to gain sensitive information about employees)
What Can You Do To Detect or Avoid BEC Scams?
- An email or phone call may happen when key personnel are absent or at the end of the day when your energy or attention is low. Attackers will try to take advantage of confusion, lack of knowledge, or fear with urgent statements, legal threats, and more. You should avoid clicking on any links in an email or replying. If it’s a phone call, hang up immediately. Speak to a supervisor or knowledgeable person about the issue.
- Check that names and addresses are spelled correctly in an email header. Hackers will spoof legitimate addresses with slight changes. At a quick glance, they look like the real thing. But when you look closely, you can see that a name has been misspelled or the email domain has an extra letter.
- Even if an email comes from a trusted sender, confirm in person or over the phone before taking the action requested. Spear phishing emails are sophisticated and tailored to you, taking advantage of names you trust and details about yourself.
- If the request seems out of the ordinary or unusually urgent, always double-check in person or over the phone with the requester. (And not by replying to the email!)
Technical Defenses
There are also technical steps you can take to defend your organization against BEC scams.
- A strong anti-spam solution should flag emails based on rules. For example, it could flag emails where the “reply to” email address is different from the “from” email address. There are also intrusion detection system rules that can help flag fraudulent emails and domain names.
- Payment verification requires additional two-factor authentication.
- Confirmation requests for fund transfers, with phone verification or other two-factor authentication methods.
And as always, a security-aware culture begins with leadership and clear instructions. Reward employees for speaking up about their concerns and reporting possible attacks. Attacks and scams like business email compromises target people because humans are usually the weakest link – unless they are trained and educated about the latest threats.
solūt offers email phishing campaigns and security training that will demonstrate and educate your staff about what to look for with BEC emails and what to do if you receive one. Reach out to us today to discuss how solūt can help you.