Protect Your Business from Email Compromise
Earlier this month, the FBI’s Internet Crime Complaint Center released its annual Internet Crime Report for 2020. Unsurprisingly, the report documented a staggering increase in cybersecurity issues across the volatile year. At the top of the list are targeted email scams—often referred to as business email compromise (BEC)—which last year cost Americans a whopping $1.8 billion in losses.
So What Is Business Email Compromise?
This broad term covers any kind of fraudulent email that tricks the recipient into clicking a link, sharing private login credentials, or approving an illicit transaction. Sometimes, hackers impersonate an existing third-party vendor and ask for a legitimate payment to be redirected to a new account. Other times, cyber thieves impersonate a member of a company’s executive suite (CEO or CFO, for instance) and request an urgent wire transfer or approval of another transaction.
The goal is usually the same, though: to collect sensitive information, encrypt a company’s data, or steal money. According to the FBI, hackers have become particularly adept at manipulating unsuspecting users via email. This can take the form of fraudulent COVID-19 vaccine alerts, fake invites to collaborate on a shared document, or requests to review important information in an infected file. Businesses and personnel using free open-source email often pose the easiest target for hackers, and personal email addresses often get compromised before business addresses.
But email scams come in many different shapes and sizes. Some closely mimic legitimate email addresses of company executives, and many are written well and specific to the business being victimized. In rare cases, some illicit emails often overlap with travel or out-of-office dates for executives whose accounts were spoofed.
How to Protect Your Business
Extra security measures can help to mitigate the impact of business email compromise. Despite the sophistication of such schemes, well-educated employees can serve as a first line of defense by employing the following cybersecurity strategies:
1. Incorporate dual approval and required phone calls.
Train your employees to add a second layer of protection to any requests that require critical information. This can be as simple as calling the sender—on a safe, known number—to verify the request. Or you can activate dual approval on business banking accounts so that two different employees have to approve financial transfers, particularly to a new beneficiary.
2. Learn how to identify warning signs.
Cybersecurity training can help your staff to cast any requests marked as urgent/secret in a pragmatic light. First, meticulously check sender addresses, subject lines, and body copy for any discrepancies. A spoofed email account may only have one letter different than a legitimate one—or only a single sentence may seem strange in the message itself. Paying close attention to these kinds of details can often mean the difference between a major crisis and a disaster averted.
3. Keep an eye on existing email chains.
Most people assume that an email scam can only arrive via a fresh conversation. But as hackers have gotten savvier, they’ve figured out ways to interrupt and manipulate existing email threads. Don’t let familiarity lull you into complacency—if something seems off in a message, double-check using one of the methods mentioned in step one. The same goes for email attachments, which can often infect or hijack your machine if an illicit one is opened.
4. Do not divulge personal, financial, or medical information.
This seems obvious, but one of the most dangerous characteristics of business email compromise is its ability to trick users into sharing sensitive information. Be especially wary of any requests for birth dates, account numbers, vaccine status, or other private details via email, text, or phone—especially if you don’t recognize the address, number, or voice of the person contacting you.
5. Double-check ALL links in emails before clicking on them.
To avoid clicking on a link that might take you to an infected website, hover over or right-click the link(s) and look for a legitimate URL that matches the one the email came from. If you see any long strings of jumbled numbers or letters, use caution and instead manually type in the website you’d like to visit. All it takes is one click on one bad link by one employee to compromise the data of your entire company.
6. Don’t use free, web-based email servers for business purposes.
Companies should establish their own trusted, secure domain and use email accounts that originate from it for official communications. A trusted provider like CMIT Solutions can help to affordably and efficiently set up such a system. Additionally, business email solutions include network analysis and proactive monitoring tools that regularly scan for malware and other illicit activity.
In the age of COVID-19 information overload, vaccine conspiracy theories, and endless scams, it isn’t easy to stop the threat of business email compromise. Succeeding at this critical cybersecurity task is vital to success, though—and is not a task you should undertake alone.
Contact CMIT Solutions today to find out how our proven security measures can help protect your employees, your data, and your company.