Business Email Compromise (BEC) is a type of email cybercrime in which attackers impersonate the owner of an email account in an effort to defraud a company. The attack, which is increasing in prevalence, often looks to obtain funds or credentials.
Global losses from BEC attacks have increased by 17% from December 2021 to December 2022, reports the FBI’s Internet Crime Complaint Center (IC3). From October 2013 to December 2022, the IC3 recorded over $50 billion in global losses due to BEC attacks. Another report showed that employees opened nearly 30% of the fraudulent BEC emails they received in the first half of 2023, and 15% of those replied to the email.
In 2019, Toyota suffered a $37-million BEC attack after hackers convinced an employee to pay funds into a fraudulent account. More recently, in 2021, cybercriminals siphoned off $650,000 from a San Francisco non-profit through a coordinated BEC attack that left legitimate suppliers unpaid while criminals walked off with the loot.
Protecting your organization from BEC attacks is crucial to avoid potentially huge financial losses. Let’s see how you can defend against them.
What is BEC, exactly?
Strictly speaking, BEC attacks are cyber criminals attempting to gain access to a legitimate email account and then impersonating the account holder – usually to demand the transfer of funds. Emails sent from a fake email account impersonating someone from the company can also be considered a BEC attack.
Additionally, BEC attacks can be used for data theft, such as obtaining schedules from key employees as well as straightforward financial theft. This often includes the use of:
- Fake invoices: Impersonators pretend to be a vendor or legal service and send fake invoices, demanding they get paid urgently.
- CEO fraud: Impersonators pretend to be a CEO and then demand that finance wire funds to the CEO’s account.
BEC emails often target unsuspecting employees with access to payment systems.
What organizations can do to prevent BEC attacks
There are a number of tools, policies, and practices that can help, including email filtering and security software
BEC attacks are a form of phishing attack, so tools that detect and prevent phishing can also be used against BEC attacks.
Advanced email filtering tools use algorithms and machine learning to detect BEC emails. They analyze patterns, the authenticity of the sender’s domain, and email content to identify potential threats.
Multi-factor authentication (MFA)
Whether a BEC starts by taking over a legitimate email account or looks to harvest login credentials, MFA can help.
Requiring MFA to be implemented across email and all other accounts prevents hackers from simply using email/password combinations to compromise accounts.
Implementing Security Measures in Finance Systems and Tools
Financial platforms and tools should have automated security measures enabled to prevent funds from flowing into the wrong person’s hands. This includes MFA as well as additional verification/approval methods. In that way, multiple parties must approve outgoing payments or new payment accounts to make sure an unsuspecting employee isn’t blindly connecting unauthorized accounts to payment systems.
Enforcing policies to prevent BEC attacks
Because BEC attacks typically use legitimate email accounts or spoofed accounts with more sophisticated methods behind them, they’re less likely to be flagged than phishing emails. Internal policies and procedures are crucial for preventing BEC attacks.
Transaction verification procedures
Implement transaction verification procedures, especially for those involving significant amounts or changes to payment details. This might include verbal confirmation, even a face-to-face meeting for extremely large sums, or requiring multiple parties to authorize the release of funds.
With the advance of deep fake technology, the need to verify in-person is likely essential.
Enforce policies with software
Ideally, your accounting and payments software would enforce these policies. For example, whenever account details are changed, the software could block payments to that party until it receives confirmation from a supervisor that the new details have been manually verified.
Make BEC attacks a crucial part of security awareness training
The human element has been behind some of the largest data breaches in recent years. Regardless of how good your security tools and procedures are, employees can make mistakes, especially when they’re untrained.
Employee training and awareness is a crucial element in any comprehensive BEC mitigation strategy and should include “test BEC emails” to truly assess an employee’s ability to identify, flag, and prevent BEC attacks.
In-depth defense is the best way to minimize risk
BEC attacks depend on organizations being unprepared. By ensuring your company is cyber-resilient, has recovery techniques in place, and maintains a strong security culture, BEC attacks will be much less successful.
Attempting to achieve this in-house can be taxing and often requires multiple vendors to ensure all your cybersecurity needs are covered. The global shortage of cybersecurity professionals has added to the challenge of building a comprehensive in-house department, not to mention the large budget it would require.
A managed security program provider can help — they’re a single source of contact for the variety of expertise, tools, and policies required to set up comprehensive protection against BEC attacks and more. Managed security program providers employ the full gamut of cybersecurity professionals, and use sophisticated cybersecurity tools to protect clients. This is especially advantageous to small and mid-size businesses. By dividing the costs of these tools across clients, smaller companies can gain access to top-in-class protection at a fraction of the cost. SolCyber is one such managed security program provider. We offer all the necessary BEC protection tools and technologies. To learn more about SolCyber’s managed security program, contact us today for a no-obligation chat.