Everything you need to know about business email compromise

Business Email Compromise (BEC) has become a significant threat to organisations, ranking among the most financially devastating online crimes. These fraudulent emails are designed to impersonate trusted sources, making their requests appear legitimate. As BEC tactics grow more sophisticated, they present an increasing challenge for both cybersecurity professionals and frontline employees.

In this article, we will explore Business Email Compromise (BEC), supported by relevant data and examples, and offer the top eight tips to help mitigate this growing cyber risk.

What is Business Email Compromise?

Business Email Compromise (BEC) is a form of cybercrime where attackers use deceptive emails to trick individuals into sending money or revealing confidential company information.

For example, a company’s CFO receives an email that appears to be from the CEO, who is traveling at the time. The email urgently requests a wire transfer to a new vendor’s account to secure a critical overseas deal. The message is convincing, using the CEO’s tone and style, and even referencing specific details about the ongoing project.

Believing the request to be legitimate, the CFO authorises the transfer. However, during a routine financial review days later, the CFO discovers that the CEO never made the request. The funds had been transferred to an offshore account, and despite efforts to recover the money, it was too late, resulting in a significant financial loss.

Reading the above example you might be thinking “well how did the scammer gain access to the information needed?” Well, scammers use various methods to gather the information needed to execute a Business Email Compromise (BEC) scam effectively.

Here are some common methods they might employee:

1. Phishing and Spear Phishing: Scammers send phishing emails to employees, attempting to trick them into revealing login credentials or other sensitive information.
   
   
2. Social Engineering: Scammers use social engineering techniques, such as posing as a trusted partner or colleague over the phone or in email communications, to extract information from employees. They might ask questions that seem routine but are designed to gather details about the company operations, personnel, or financial practices.
   
   
3. Publicly Available Information: Scammers often exploit information that companies or executives share publicly, such as on social media, company websites, or press releases. Details about key personnel, ongoing projects, or business relationships can help scammers craft convincing fraudulent emails.
   
   
4. Email Spoofing: By manipulating the “From” field in the email header, scammers can make an email appear to come from a trusted source, such as an executive or business partner. This technique is often combined with information gathered from other sources to make the scam more believable.
   
   
5. Data Breaches: If a company or one of its partners has experienced a data breach, scammers may obtain sensitive information such as email addresses, financial details, or internal communications. This data can be used to impersonate employees or understand the company’s processes.
   
   
6. Reconnaissance and Monitoring: Scammer may monitor a company’s email communications over time, especially if they’ve already gained access to an employee’s account. This allows them to study communication patterns, identify key personnel, and learn about ongoing projects or financial transactions, making the fraudulent requests more convincing.
   
   
7. Impersonation of Third Parties: Scammer might impersonate vendor, clients, or other third parties with whom the company does business. They might use fake invoices or create lookalike email addresses that closely resemble those of legitimate contacts, tricking employees into authorising payments or sharing sensitive information.

As you can see, it’s essential for every business to stay vigilant and proactive to avoid falling victim to scams like this.

Is Your Business Vulnerable?

The FBI's Internet Crime Complaint Centre, in their 2023 IC3 Report, emphasized that BEC continues to be a major threat to modern enterprises, with reported losses approaching $2.9 billion and nearly 21,489 incidents reported in 2023.

These attacks have impacted organisations of all sizes and across various industries in 177 countries. BEC threat actors are continually refining their tactics, making this one of the most significant threats that companies face today.

How to Protect Your Business

The internet is an incredible invention, but it also comes with risks. Even with minimal technical skills, personal details can be accessed quickly, and hackers are adept at piecing this information together to their advantage.

Below are the top eight tips to protect your business:

1. Implement Multi-Factor Authentication (MFA): Require MFA for accessing email accounts and other critical systems. This adds an extra layer of security beyond just passwords.
   
   
2. Conduct Regular Employee Training: Educate employees on recognising phishing attempts, suspicious email behaviours, and safe email practices. Regular training helps keep awareness high and reduces the risk of falling for scams.
   
   
3. Verify Requests for Financial Transactions: Establish a verification process for any requests involving financial transactions or sensitive information. This might include requiring confirmation through a phone call or separate communication channel.
   
   
4. Monitor and Analyse Email Traffic: Use email filtering and security solutions to monitor for unusual email patterns or behaviours. Implement systems to detect and block known phishing domains.
   
   
5. Enforce Strong Password Policies: Require strong, unique passwords for email accounts and other sensitive systems. Encourage regular password changes and avoid password reuse.
   
   
6. Implement Email Security Protocols: Use email authentication protocols such as SPF, DKIM, and DMARC to help verify the legitimacy of incoming emails and reduce the risk of spoofing.
   
   
7. Keep Software and Systems Updated: Ensure that all software, including security tools and other critical applications, is updated with the latest patches and security updates to protect against vulnerabilities.
   
   
8. Establish Incident Response Procedures: Develop and regularly update an incident response plan for dealing with suspected BEC attacks. Ensure that employees know how to report potential scams and that the company has a clear process for handling such incidents.

We offer a multi-layered approach to cybersecurity services that assist with your business's every need. Let us manage your security and keep your business out of harm’s way, so security comes off your to-do list and resides with us. It’s as simple as that.

Follow us: