Understanding Business Email Compromise

In a straightforward manner, business email compromise (BEC) is a type of cyber crime where scammers use email to deceive individuals into sending money or divulging confidential company information. Cyber criminals often impersonate a trusted executive, vendor, or partner to deceive employees into transferring funds or disclosing confidential data. They often ask for payment on a fraudulent invoice or request sensitive information that can be used in further scams. BEC is one of the most sophisticated and financially damaging cyber threats facing businesses today.

How it Works

BEC scams usually start with the cyber criminal gaining access to a legitimate business email account through phishing, malware, or social engineering. Once inside, they study the organisation’s communication patterns and identify potential targets. The attacker then crafts convincing emails that appear to come from a trusted source, instructing the recipient to make a payment or share sensitive information.

Real-World Examples

CEO Fraud
In this scenario, the attacker impersonates the CEO or another high-ranking executive. They instruct an employee, usually in finance, to transfer money to an account controlled by the attacker. The request often emphasises urgency and confidentiality to avoid raising suspicion.

Invoice Scams
Attackers pose as legitimate suppliers and send fake invoices to businesses. They request payment to be made to a new bank account, which is actually controlled by the fraudster. By the time the real vendor inquires about the missing payment, the money is long gone.

Account Compromise
In this type, a compromised email account is used to request payments from clients. Clients, believing they are paying the correct business, transfer money to the attacker’s account. This not only results in financial loss but can also damage the business’s reputation.

New Employee Exploitation
Scammers target new employees who might be unfamiliar with company protocols. For example, an attacker impersonates the CEO and emails a new employee, urgently requesting their WhatsApp number. Once the conversation moves to WhatsApp, the scammer convinces the employee to buy multiple Amazon gift vouchers under the guise of a company expense. This method preys on the new employee’s eagerness to comply with a high-ranking official’s request, making it particularly effective.

Useful Tips to Avoid Business Email Compromise

Business email compromise is a serious threat, but you can defend against it with vigilance and good practices.

• Check the Sender’s Email Address
  Always double-check the sender’s email address. Scammers often use addresses that look almost identical to legitimate ones but with slight differences, like an extra letter or a different domain. For instance, they might use “[email protected]” instead of “[email protected]“. By paying attention to these details, you can spot fraudulent emails before falling victim to them.
• Look for Unusual Requests
  Be wary of emails that request urgent actions, especially those involving financial transactions or sensitive information. Scammers often create a sense of urgency to rush you into making a mistake. For example, an email might claim that an urgent payment is needed to avoid a penalty. Always verify such requests through another communication channel, like a phone call.
• Verify Payment Changes
  Always confirm any changes in payment details or instructions by directly contacting the supplier or executive using a trusted method. Scammers might send emails that look like they are from a known supplier, asking you to send payments to a new account. Before making any changes, contact the supplier using their official contact information to make sure the request is genuine.
• Keep Software Updated
  Make sure all your software, including email clients and security tools, is up to date. Regular updates protect against the latest security vulnerabilities that scammers exploit. This simple step can significantly enhance your security.
• Limit Information Sharing
  Be careful about the information you share on social media and company websites. Scammers often use publicly available data to create convincing phishing emails. For example, if you post about an upcoming business trip, a scammer might send an email pretending to be your CEO, asking for urgent information or payment while you’re away. By limiting the details you share online, you reduce the risk of being targeted by such personalised attacks.

Defending Against Business Email Compromise

Business email compromise is a growing threat that can have devastating consequences for any organisation.

Employee Training

Education is your first line of defence. Regular training sessions should be held to keep employees updated on the latest phishing techniques. Teach them how to recognise suspicious emails and emphasise the importance of verifying unusual requests. This is especially crucial for emails involving financial transactions or sensitive information. Employees should be encouraged to question and verify any unusual request, regardless of who appears to have sent it.

Implementing Strong Authentication

Adding an extra layer of security with two-factor authentication (2FA) is essential. Even if an attacker manages to obtain login credentials, 2FA makes it significantly harder for them to access the account. Ensure that all employees, particularly those with access to sensitive information, use 2FA. This involves using a second method of verification, such as a code sent to a mobile device, in addition to a password. This simple step can drastically reduce the risk of unauthorised access.

Email Filtering and Security Solutions

Advanced email security solutions can be a powerful tool in the fight against BEC. These systems are designed to detect and block phishing attempts before they reach the inbox. By analysing email content and metadata for signs of fraud, these tools can significantly reduce the risk of BEC. Implementing such solutions ensures that many potential threats are neutralised before employees even see them, adding a robust layer of protection to your email communications.

Verification Processes

Always verify payment requests, especially if they involve large sums or changes in payment details. This can be done through a secondary communication channel, such as a phone call or face-to-face verification. Establishing a clear procedure for verifying financial transactions can prevent many BEC attempts. Encourage employees to follow these verification processes strictly, and never to rely solely on email for confirmation of sensitive information.

Monitoring and Response

Continuous monitoring of email accounts for suspicious activity is crucial. Set up alerts for unusual login attempts or changes in email forwarding rules. Having a response plan in place is essential so that if an attack is detected, you can act swiftly to mitigate the damage. Regularly review account activities and ensure that any anomalies are investigated promptly. This proactive approach can help in identifying and stopping potential breaches before they escalate.

Protect Your Business from Scammers

Protecting your business from scammers is crucial, regardless of its size. Small and large businesses alike are targets for cyber criminals, making it essential to have robust defences in place. Investing in IT support and cyber security services can make a significant difference.

Not every business can afford an in-house IT department staffed with experts. That’s where professional IT support services come in. They offer specialised knowledge and tools to protect your business against threats like business email compromise.

By partnering with a reliable IT support provider, you ensure your network is secure, your employees are trained, and your data is protected. This proactive approach can save you time, money, and stress, allowing you to focus on what you do best – running your business.

Don’t let your business fall victim to the growing threat of business email compromise. Stay one step ahead by implementing robust security measures and educating your team. At Labyrinth Technology, we specialise in safeguarding businesses against cyber threats with tailored IT solutions. Protect your organisation’s future by taking proactive steps today. Contact us to learn how we can help secure your email systems and strengthen your overall cyber security.