Business Email Compromise

Business email compromise (BEC) is a significant cyber threat that targets businesses, government and state entities, and other organizations. In Florida and across the country, companies lose millions of dollars annually to BEC scammers. These criminals employ deception and social engineering techniques to convince employees to wire large sums of money to bank accounts controlled by fraudsters.

The Threat of BEC Scams

BEC schemes are often sophisticated and executed by transitional organized crime groups. These groups may involve linguists, lawyers, hackers, and experienced social engineers. Their tactics include reconnaissance, phishing campaigns, and creating fake email addresses that resemble legitimate business emails. By tricking unsuspecting employees, particularly those in finance or accounting, these criminals manipulate their victims into transferring large sums of money, often to overseas accounts.

Characteristics and Steps of a BEC Attack:

-          Target Selection and Reconnaissance

The criminals identify a business to target and gather publicly available information about the company's net worth, employee listings, and executive profiles.

-          Phishing and Network Intrusion:

Attackers may use phishing emails aimed at finance or accounting employees to access the company's network. Alternatively, they might make direct phone calls to establish rapport with potential victims.

-          Deception and Impersonation:

Fraudsters often create email addresses that closely mimic legitimate business emails. They may impersonate senior executives or vendors to make their requests appear credible.

-          Executions of the Scam:

Once trust is established, the scammers request funds transfer to accounts they control under the guise of legitimate business transactions.

 

How to Protect Your Business Against BEC Scams:

Implementing robust cybersecurity practices and staying vigilant can help you defend against BEC threats. Here are several practical steps to safeguard your organization.

Scrutinize Email Requests:

-          Always verify requests for funds transfers, especially if they seem out of the ordinary or urgent. Compare invoices against records to ensure goods and services were provided.

-          Tip: Cross-check unusual payment requests with a trusted colleague or use a different communication method to verify the legitimacy.

Enable Email Security Features:

-          Configure your email server to flag emails from external sources and display warnings.

-          Tip: Use email filtering and spam detection technologies to block suspicious emails before they reach employees.

Implement Domain Similarity Checks:

-           Set up rules in your email system to flag messages with domains that resemble your company's domain but are slightly different (e.g., "abc-company.com" vs. "abccompany.com").

-          Tip: Regularly monitor and analyze incoming email domains for subtle variations that could indicate phishing attempts.

Verify Changes in Payment Details:

-          When vendors request changes in their payment information, verify these changes by contacting them through a known, official channel rather than relying on the email request.

-          Tip: Use a multi-factor verification process to confirm any changes to payment details.

Diversify Communication Channels:

-          Don't rely solely on email for critical communications, especially those involving financial transactions. Use phone calls or in-person meetings to confirm necessary details.

-          Tip: Establish a protocol for secondary verification methods for sensitive communications.

Strengthen Authentication Processes:

-          Add layers of authentication by requiring secondary signoffs for all significant monetary transactions.

-          Tip: Use multi-factor authentication (MFA) to enhance security for access to financial systems.

Provide Social Engineering Awareness Training:

-          Educate employees regularly about the tactics used in BEC scams and other forms of social engineering. This training should include recognizing suspicious emails and what actions to take if they receive one.

-          Tip: Conduct simulated phishing exercises to test and reinforce employees' ability to identify and respond to phishing attempts.

Staying Ahead of BEC Threats

BEC scams are continually evolving, making them a persistent threat. However, by understanding the nature of these scams and implementing comprehensive security measures, businesses can reduce their risk of falling victim to BEC. Always remain vigilant, verify unusual requests, and employ a multi-layered approach to cybersecurity to protect your organization from these costly attacks.