It goes by many names: CEO fraud, W-2 phishing, email account compromise, business email spoofing, man-in-the-email scams. No matter what you call it, Business Email Compromise (BEC) is a real and growing threat, especially among small and medium-sized businesses (SMBs). Here, we look at what you need to know about BEC scams to help you protect your business.
What is Business Email Compromise?
Let’s start with the basics. What is Business Email Compromise and how do you recognize if it’s happening? BEC is a type of email scam based on the concept of social engineering. Attackers are trying to exploit a shared weakness of every business: its people. BEC is a manipulation tactic in which attackers pose as someone known or trustworthy in an attempt to solicit access or information. Many BEC scammers have even been found to research and closely monitor their target victims and organizations leading up to the attack. Most often, attackers try to steal money, data, and other confidential employee or customer information.
BEC is a growing and evolving threat (the FBI posted a warning about the rise of BEC two years ago), especially among SMBs. The last two years saw a 136% increase in losses from BEC scams, which have been reported in all 50 states. BEC victims reported $1.3 billion in losses in 2018, almost twice the amount from the prior year; by mid-year 2019, BEC attacks targeted more than 6,000 businesses each month.
How does a Business Email Compromise scam work?
Often, the BEC attack follows one of two paths. In one scenario, an employee with access to accounts gets an urgent email request to transfer or wire money; it includes details on how to route the data or money, and it appears to come from a recognized individual at the leadership level, or, sometimes, from a vendor. In another scenario, the attackers will spoof someone in payroll or HR for personal or financial information, such as W-2s; identity theft can be a common component of this second scenario.
BEC happens when the scammer poses as a trusted individual with a legitimate business request. BEC attacks are highly targeted, sent in low volumes, and aimed at specific people.
The scams are hard to identify and, to the target, they may seem like a normal and harmless day-to-day request. Remember, scammers, who want to circumvent tight network controls, research the best ways to take advantage of human vulnerabilities.
Once someone has “taken the bait”, the scammers employ various tactics, including spoofing, keylogging, or phishing to complete the fraudulent transfers.
How can I protect my business?
BEC scams are dangerous and difficult to thwart because of their sophisticated, targeted, and manipulative nature; protecting your business will require not just a prepared workforce, but also a thorough review of your business and IT processes and improved incident management.
Arm Your Front Line of Defense
One of the most effective ways to prevent a BEC scam is to train your employees on how to spot it in the first place. Keep your staff informed of the latest BEC tactics. We know that scammers, who seek to circumvent tight network controls, research the best ways to take advantage of human vulnerabilities. But, there are still a few signs to look for, such as keywords in subject lines, like: payment, transfer, and urgent. There’s also a general awareness of the main “types” of BEC scams out there, including: fake invoices (often targeted toward companies with foreign suppliers), CEO fraud or attorney impersonation (pretending to be someone else), compromised accounts, and data theft. Not all BEC emails will contain attachments, either.
It’s also important to educate employees at all levels of the business. While CEOs remain the most targeted position, many experts have predicted that as BEC scams become more sophisticated (and profitable), they’ll increasingly target people in other, lower positions. In short, your business is a threat, and so are all of your people.
Keep your trainings brief, frequent, and focused. In addition to offering concrete examples and best practices, help your employees make a connection between risk and the impact a breach could have on the company and your operations. Lastly, remember that cybersecurity training never ends, especially since nefarious actors continually find new attack vectors. Create monthly communications, like a newsletter, to help keep employees stay educated on emerging topics. And, make sure that all staff know what to do and who to contact if they suspect a scam has occurred. For more, please see this previous post on cybersecurity training tips for your employees.
Review (and Improve) your Business Processes
Another strategy to reduce the risk of a BEC scam is to thoroughly catalog and review your business processes. This includes reviewing existing procedures like separation of duties for financial transfers and other transactions, such as sending sensitive data in bulk to outside entities or handling legitimately urgent email requests.
Think of this as a coat of armour. Recall that BEC attacks target humans and human flaws. Anything you can do to create clear and robust communication and transactional policies will help thwart these attacks and fortify your flaws for added protection. Also, keep in mind that separation of duties and other protections may become compromised at some point by insider threats; plan to review your business processes regularly.
The review should illuminate a list of improved business and security processes that could help prevent BEC scams and provide an added layer of protection. This might include solutions like limiting the number of people with access to financial information and transactions.
Review, Refine and Test your Incident Management
After a thorough business process review, it’s time to put it all into action. A particularly effective strategy is to simulate a BEC incident and test the scenario among your staff. We also recommend you conduct a “tabletop exercise” with management and key personnel, on a regular basis.
Business processes aside, this is also a critical moment to improve your overall IT security posture, perhaps beginning with multi-factor authentication like two-step verification for payments. Investing in better technology and more robust cybersecurity is, not surprisingly, a bit of a trend these days. According to Spiceworks’ 2020 State of IT Report, 44% of businesses plan to increase their tech spend next year; one in four businesses are spending more due to a recent security incident.
Lastly, make sure your systems are backed up and that you have an incident management process in place with your IT team or a technology vendor. A good starting place may be an IT assessment, typically performed by third-party experts like our team here at N8 Solutions, to examine your current IT infrastructure and security posture. Experts will analyze your systems to uncover security vulnerabilities, review back-ups, identify network issues, and improve your desktop, internet, and infrastructure security.
Don’t let this be the year that you experience a BEC scam at your business! We’re here to help you avoid these and other sophisticated and damaging attacks. It’s worth it. The Better Business Bureau reports that 80% of businesses received at least one BEC scam in 2018; more than $26 billion in BEC-related losses were reported over the last two years, according to the FBI. We can provide expert guidance on everything from training your team to conducting a business process review to improving your overall security posture and establishing a plan for recovery. BEC scams are rooted in our own human vulnerabilities; while the tactics of the scam may be simple, the repercussions are not.
Please get in touch with us today for a free consultation.