Business email compromise (BEC) is a significant cyber threat that targets businesses, government and state entities, and other organizations. In Florida and across the country, companies lose millions of dollars annually to BEC scammers. These criminals employ deception and social engineering techniques to convince employees to wire large sums of money to bank accounts controlled by fraudsters.
BEC schemes are often sophisticated and executed by transitional organized crime groups. These groups may involve linguists, lawyers, hackers, and experienced social engineers. Their tactics include reconnaissance, phishing campaigns, and creating fake email addresses that resemble legitimate business emails. By tricking unsuspecting employees, particularly those in finance or accounting, these criminals manipulate their victims into transferring large sums of money, often to overseas accounts.
Implementing robust cybersecurity practices and staying
vigilant can help you defend against BEC threats. Here are several practical
steps to safeguard your organization.
Scrutinize Email Requests:
- Always verify requests for funds transfers, especially if they seem out of the ordinary or urgent. Compare invoices against records to ensure goods and services were provided.
- Tip: Cross-check unusual payment requests with a trusted colleague or use a different communication method to verify the legitimacy.
Enable Email Security Features:
- Configure your email server to flag emails from external sources and display warnings.
- Tip: Use email filtering and spam detection technologies to block suspicious emails before they reach employees.
Implement Domain Similarity Checks:
- Set up rules in your email system to flag messages with domains that resemble your company's domain but are slightly different (e.g., "abc-company.com" vs. "abccompany.com").
- Tip: Regularly monitor and analyze incoming email domains for subtle variations that could indicate phishing attempts.
Verify Changes in Payment Details:
- When vendors request changes in their payment information, verify these changes by contacting them through a known, official channel rather than relying on the email request.
- Tip: Use a multi-factor verification process to confirm any changes to payment details.
Diversify Communication Channels:
- Don't rely solely on email for critical communications, especially those involving financial transactions. Use phone calls or in-person meetings to confirm necessary details.
- Tip: Establish a protocol for secondary verification methods for sensitive communications.
Strengthen Authentication Processes:
- Add layers of authentication by requiring secondary signoffs for all significant monetary transactions.
- Tip: Use multi-factor authentication (MFA) to enhance security for access to financial systems.
Provide Social Engineering Awareness Training:
- Educate employees regularly about the tactics used in BEC scams and other forms of social engineering. This training should include recognizing suspicious emails and what actions to take if they receive one.
- Tip: Conduct simulated phishing exercises to test and reinforce employees' ability to identify and respond to phishing attempts.
BEC scams are continually evolving, making them a persistent threat. However, by understanding the nature of these scams and implementing comprehensive security measures, businesses can reduce their risk of falling victim to BEC. Always remain vigilant, verify unusual requests, and employ a multi-layered approach to cybersecurity to protect your organization from these costly attacks.