To commit business email compromise (BEC) fraud, a con artist poses as a senior manager, business partner, or supplier for a company and attempts to dupe an employee into sending money to the incorrect location. The rogue message is usually sent from a faked or already stolen email account, making the deception more convincing. BEC is essentially a sort of phishing targeted at businesses.
As corporate fraud awareness rises, bad actors are continually tweaking their strategies to ensure that their frauds get through protected email gateways and under the radar of even the most attentive recipients. Furthermore, the employment of untraceable cash-out procedures involving gift cards and cryptocurrency goes above and beyond their operations security (OPSEC) norms. These rogue techniques may be very powerful when combined with cunning social engineering tricks that cause victims to behave rashly.
In the year 2021 alone, the FBI claimed losses of more than $4.2 billion due to cybercrime. Companies all across the globe should use these alarming figures as a wake-up call to strengthen their defenses against the danger.
While the underlying denominator in all BEC hoaxes is the desire to gain money and get away with it, how this is accomplished differ. This exploitation may be broken down into three main situations.
Invoices that aren’t authentic
An attacker uses this traditional ruse to request a wire transfer on behalf of a business with whom the target company works, such as a managed service provider (MSP) or a supplier. The story usually revolves around a purported change in the imitated company’s banking credentials.
Whaling
A criminal impersonates a person who occupies an executive-level position in a firm to carry out this scheme, which is also known as CEO fraud. It’s frequently preceded by a spear-phishing attempt that ends in the victim’s email account being taken over. To get access to an account, criminals may exploit credentials revealed in a data breach. The impersonator then calls finance department staff, requesting immediate payment for fraudulent services.
Making touch with business connections
Fraudsters may attempt to broaden the scope of the attack by going after a victim’s partners and contractors, whose contact information and other sensitive information were gathered during the first assault. Sending a shady wire transfer request through a legitimate email account used by a key victim’s employee is a sure-fire approach to simulate authenticity in this scenario.
Make sure your company isn’t a low-hanging fruit for BEC con artists.
Due to the reliance on social engineering in this sort of attack, security awareness is critical in preventing the worst-case situation. Most of these frauds may be avoided by combining your workers’ safe online behaviors with automated protection technologies like Internet security software, spam filters, and secure email gateways. Let’s take a closer look at these measures.
Web-based email isn’t for you. These kinds of services are appealing since they are free to use, but there is a catch. Cybercriminals may easily fake these email addresses. A far more acceptable method is to host corporate accounts on your company’s domain. It is one of the building elements of a trustworthy brand and a part of corporate communication done correctly, in addition to complicating this sort of foul behavior.
If you get a communication from someone you don’t know, be cautious. If you get an email from a stranger instructing you to click a link or download a file, delete it immediately and continue about your day.
Take a look at the sender’s address. A phisher may use an email address that differs somewhat from the authentic one while attempting to impersonate a trustworthy individual or corporation. To spot a scam, look for inconsistencies in spelling and unnecessary characters.
Develop the prudence of your team. Setting up a security awareness campaign is a worthwhile investment. It will educate your coworkers on how to spot warning signs while using public Wi-Fi, websites, emails, and documents.
Make good use of the “Reply” option. Consider utilizing the “Forward” button instead of the “Reply” button if you’re discussing a sensitive subject through email. It assumes that you must input or choose the proper address from your address book, removing the chance of communicating with a charlatan posing as someone you trust.
Use two-factor authentication to your advantage (2FA). This fantastic feature prevents unwanted users from accessing your company’s email account. If it’s turned on, the password isn’t adequate. Without an additional identity, such as biometric data or a secret code texted to your smartphone, access is impossible.
Keep an eye on your email server’s settings. Request that your IT department stay up to date on any changes to the server’s setup or the email exchange rules that apply to essential accounts.
When it comes to money transfer demands, be cautious. Even if it looks to originate from your employer, you should always double-check the veracity of any email that instructs you to wire money to a third party. A brief phone call may help you cross your t’s and dot your i’s. If you work in the same building, there’s no harm in approaching and asking. Raise the hurdle for approving large payments. Involving a third party in the process of approving wire transfers when the amount reaches a specific threshold is a smart idea.
Set up your email exchange server to show a warning banner in messages received from outside the company. This should entice people to take a deeper look. Don’t put too much personal information on the internet. Before launching a BEC scam, crooks usually do extensive research. They may, for example, gather information on their targets from publicly accessible sites such as social media and personal blogs. However, it is in your best interests to limit the kind of sensitive information you publish on these platforms.
Understand the intricacies of your company area. This will assist you in distinguishing between valid emails and those that aren’t relevant to your daily activity. Make use of technology. Anti-fraud capabilities in modern Internet security programs are backed by a comprehensive database of actively circulating phishing templates. Such technologies might surely provide an additional layer of security to your BEC avoidance efforts.
