Automatically flipping through random emails during meetings or throughout their workday is something that many people do without giving it a second thought. Unfortunately, however, this activity can lead to an employee opening the wrong kind of messages — one that could contain malware, spoofing, or phishing content. These types of emails, which fall in the category of business email compromise (BEC), spell danger for businesses and their clients.
What to Know about Business Email Compromise
Borrowing from the Federal Bureau of Investigation’s (FBI) business email compromise definition from a public service announcement, BEC, or what is also known as email account compromise (EAC), is described as “a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” The announcement goes on to say that a BEC attack is also one that “involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”
A business email compromise scam, or BEC attack, is a form of phishing. It occurs most frequently when a malicious user compromises legitimate business email accounts to facilitate fraudulent and illegal activity. They do this by implementing one or more tactics, including:
- Social engineering attacks such as phishing and spear-phishing;
- Computer intrusion techniques such as hacking; or
- Spoofing methods
According to the FBI’s PSA, between October 2013 and May 2018, business email compromise was responsible for 41,058 fraud complaints from U.S. victims, totaling more than $2.9 billion in exposed dollar loss. According to Barkly, “76% of organizations say they experienced phishing attacks in 2017” and that “53% of IT and security professionals… reported their organizations have experienced more advanced, targeted phishing attacks (spear phishing) in 2017.”
Here are a few pieces of information to know that inform you of the dangers of a BEC attack, and how you can protect yourself and your business from getting “hooked” by phishing emails:
The Sequence of a BEC Phishing Attack
Phishing emails typically include a hook, lure, and catch:
- The Hook: The hacker creates a malicious fake website that requests PII.
- The Lure: They then use an email to entice the user to click on a hyperlink that takes them to the disguised website where they give up their information.
- The Catch: The hacker uses the information they collected to masquerade as the victim.
What are some examples of business email compromise scams?
The Most Common & Effective BEC Attack Phishing Lures
When it comes to finding ways to lure users into a false sense of security, hackers who employ business email compromise tactics will try virtually everything conceivable to get users to engage with their emails. Some methods hackers employ include using enticing or urgent topics in email subject lines to get users to click.
What are some examples of business email compromise scams? The more common BEC attacks include:
- Emails from “colleagues” or “clients” about invoices or payments
- Notifications of password resets or changes
- Documents being ready for signature
- Alerts about password changes
- Notifications about accounts being deleted or canceled
- Order or delivery notifications
While there is no way to stop 100% of phishing attacks, there are steps you can take to help mitigate their success and minimize the damage to your business.
How to Protect Your Business from Phishing BEC Attacks
We’ve written about how users can prevent phishing attacks. However, we thought it would be helpful to come up with a few tips for mitigating BEC email threats:
- Develop and implement email and security solutions: This can include the creation and roll-out of computer use policies, email password protocols, and other security measures.
- Educate your employees: Implement cyber security awareness training programs and require everyone (including top leadership) to attend.
- Keep your employees up to date on the latest news: When any new strategies or attacks come to light at other related companies, inform your employees about it as well to learn from the companies’ mistakes.
- Use multi-factor authentication: Use strong authentication to reduce your attack surface. At a minimum, use an enterprise-grade SSO solution and/or a password manager.
- Have employees route suspicious communications through appropriate channels: Should an employee receive an email requesting PII or credential information, have them report the email to the Human Resources (HR) and Information Technology (IT) teams.
Despite your best efforts, however, it still may not be enough. Symantec’s 2018 Internet Security Threat Report (ISTR) indicates that the average email user received 67 spam emails per month as of December 2017. If you have even just 10 employees, that’s 670 potential opportunities, on average, for hackers to be successful in a month and 8,040 opportunities in a year. If you have 100 employees — or if you’re in a major corporation with thousands of employees — imagine the number of business email compromise risks your organization faces every day.
… And, all it takes is one successful BEC attack to potentially cripple your organization.
Implement Email Security Measures to Combat BEC Attacks
While putting new security policies and training your employees to recognize threats are both beneficial, there is a more effective way to protect your business from business email compromise scams: using anti-phishing services.
Reliable, high-quality anti-phishing services assess your emails to determine whether they are threats. The ClearedIn platform takes it a step further and analyzes your company’s communications over multiple platforms — email and other communications channels such as Slack — using artificial intelligence (AI) and machine learning to develop a model of your organization’s communications network. As new messages populate, ClearedIn validates each against the trust graph based on the flow and frequency of past communications. It also checks embedded links and analyzes email addresses for spoofing attempts.
When threats are detected, they are flagged and disarmed immediately. The users are also notified why the messages are labeled as threats to make informed decisions about whether to unlock them.