Business Email Compromise: Is This a Scam Email?
Earlier this year, the FBI released its 2018 Internet Crime Complaint Center Report (IC3) which reports on the types of cybercrime being reported to the agency and trending threats individuals and businesses are facing. Last year, the IC3 responded to an average of over 900 complaints a day and observed and estimated $2.7 billion in financial losses as a result of reported cybercrime. These numbers have increased dramatically since the FBI began tracking them in 2014 and are only expected to rise.
Of this astounding financial loss total in 2018, 48% was directly due to specifically to Business Email Compromise (BEC).
What is Business Email Compromise?
BEC is a type of cyber-attack in which the attacker creates or gains access to a business email account and imitates the owner’s identity in order to defraud the company and its employees, customers or partners. The success of these attacks rely on the assumed trust between the victim and their false email account.
BEC attacks have become sophisticated, well-organized campaigns often consisting of multi-national criminal organizations made up of hackers, social engineers, linguists and even lawyers and financial professionals. Most usually, scammers will focus their efforts on the employees with access to company finances and attempt to trick them into performing wire transfers to bank accounts thought to be trusted, when in reality the money ends up in accounts owned by the criminals.
Some examples of BEC email is one that:
- Appears to be from your CEO or CFO, asking you for information, like account numbers, or to take a particular action, like complete a wire transfer
- Requests to buy gift cards, both physical and electronic
- Asks for your personal or work phone number so they can text you instructions
- Appears to be from an official organization or agencies that asks you to click on a link which directs you to a landing page where you are asked to fill out information
Lowing Risk from BEC Attack
Businesses may not be able to remain 100% free of BEC attempted attacks, but there are several things they can do to improve processes to ensure data exposure is minimized and lower their risk of financial loss.
- Conduct employee security awareness training which includes BEC scenarios
- Utilize manual controls, many included in Microsoft 365. Many organizations already own these tools and are simply unaware how to best use them for the most protection and ROI
- Ongoing monitoring of exposed credentials to catch the attack before damage is done. If you’re unable to do this inhouse, consider a service like SWC’s Managed Defense
- Conduct ongoing assessments of your evolving environment and executives’ digital footprints and take measures to remove sensitive data that could leave them exposed
Email Security Workshop
SWC has developed an Email Security Workshop to help business and technology leaders develop a strategic security plan based on best practices and approaches.
To learn more about how you can improve your security posture and minimize the risk of BEC, contact us.