Understanding Business Email Compromise: A Growing Threat to Businesses
In today’s digital age, email has become an indispensable tool for businesses worldwide. However, with its widespread use comes the risk of cyber threats, one of the most damaging being Business Email Compromise (BEC). BEC is the top known cybercrime in Australia, according to ASD’s Australian Cyber Security Centre (ACSC). BEC comes in different flavour’s, lets unpack what we can do about this.
What is Business Email Compromise?
Business Email Compromise, or BEC, is a type of cybercrime where attackers impersonate a trusted figure within an organization to trick employees into transferring funds or sharing confidential information. These scams often involve carefully crafted emails that appear to come from a legitimate source, such as a CEO, vendor, or business partner.
How Do BEC Scams Work?
BEC scams come in a few varieties, all follow a fairly consistent flow, with a similar outcome.
- Phishing: These are the most common spam email’s that are encouraging you to click on a hyperlink, reply to the message and any other call to action.
- Spoofing Email Accounts: Attackers create email addresses that closely resemble those of legitimate contacts. For example, they might use john.doe@company.com instead of john.doe@company.co
- Spearphishing: These targeted emails are designed to look like they come from a trusted sender, tricking recipients into revealing sensitive information or making unauthorised transactions
- Deploy Malware: Some BEC scams involve malware that infiltrates company networks, allowing attackers to monitor email threads, time their fraudulent requests perfectly and gain lateral movement in to your other business systems.
Common BEC Scenarios
- Fake Invoices: A scammer poses as a vendor and sends a fake invoice, requesting payment to a fraudulent account.
- CEO Fraud: The attacker impersonates a high-ranking executive, instructing an employee to transfer funds, purchase gift cards or conduct an urgent business activity.
- Account Compromise: Attackers gain access to an employee’s email account and use it to send fake invoices or request to suppliers and/or customers.
The Impact of BEC
BEC scams can have devastating financial consequences for businesses. According to Scam Watch Australia business loss is in excess of $5.3 Million per-year.
Beyond financial loss, these scams can also damage a company’s reputation and erode trust with clients and partners. Which can be devastating to business growth.
Protecting Your Business
To safeguard against BEC, businesses should implement the following measures:
- Verify Requests: Always verify payment or sensitive information requests through a secondary communication channel, such as a phone call.
- Educate Employees: Regularly train employees to recognise phishing emails and suspicious requests. Ideally utilising a Cyber security awareness training platform to track any known gaps in the business.
- Use Multi-Factor Authentication: Implement multi-factor authentication to add an extra layer of security to email accounts, to prevent account compromise.
- Quality Anti-Spam Monitor Email Activity: Keep an eye on email account activity for any unusual or unauthorised access. Ideally blocking known threats before you reach your mailbox.
Conclusion
Business Email Compromise is a serious threat that requires vigilance and proactive measures to combat. By understanding how these scams work and taking steps to protect your organisation, you can reduce the risk of falling victim to BEC and safeguard your business’s financial and reputational well-being.
We recommend the following guardrails.
- Ask for help and guidance. Systems like the Australian government funded Cyber Warden program is a great starting point.
- Protect your people with education and Cyber security awareness training platform to track progress.
- Protect your mail server with an Anti-Spam service, even and especially for Microsoft 365.
- Protect you people with identity or MFA protection.
- Get independent verification. Some times an objective 3rd party can provide that ‘yard stick’ to measure your level of success.