Skip to content

Few are aware of BEC attacks even though they are the most common threat

Here’s how to protect your business

Barrett Dilger

Email Security

We all know how vital email is in modern business. Unfortunately, we also are very well aware of all the junk that is in our email as well. A lot of that junk is spam, but worse yet a lot of that junk are email attacks. These attacks vary, but they all set out to compromise you.

Some of the most popular attacks are Phishing emails, which try to get you to expose your login credentials, and Ransomware attacks, where criminals encrypt your data and hold it ransom until you pay.

The most popular though are Business Email Compromise (BEC) attacks. These are where criminals use email impersonation to get employees or vendors to take some form of action to get them money in the form of wire transfers or even gift cards.

It keeps getting exponentially worse year over year too. Business Email Compromise is up a whopping 81% over last year. It’s up 175% over the last two years. That equates to a financial impact in the billions. Those are some staggering numbers.

How Does Business Email Compromise Work?

BEC attacks are where a criminal gains unauthorized access to your business email, giving them validity their next steps. The root behind BEC attacks is the utilization of company information to create a believable impersonation.  The criminal will watch the breached email for people, patterns, and other intel that gives them insight into your business. They also research your company to gain information about its employees, partners, and customers.

You’d be amazed at how much of this information is readily available online. Many times it’s all freely given on the company website and LinkedIn. LinkedIn is a treasure trove for criminals. Think about all the new job announcements you see, those are prime targets for attacks because they are fresh and ready to please, while not knowing every little bit about the company, employees, and procedures.

Not that new employees are the only targets; they are just low-hanging fruit. Employees in the accounting departments are targeted for their financial access. Employees in the HR department are targeted for their access to employee records (such as social security numbers and tax records). Any employee role is susceptible to attack, even senior leaders.

Once the criminal has enough information regarding the company, they start their attack. They send an email, usually posing as a high-level executive like the CEO or owner, asking for some sort of transfer of funds. It could be anything from a wire transfer to a gift card purchase. The emphasis is always on urgency and confidentiality. They have a new opportunity or are out of the office at a location and need something done now.

Don’t think this is restricted to internal teams either. BEC attacks can impersonate partner companies, utilizing that relationship to fly under the radar and get the target company to trust them.

If the recipient believes the email, they take action and send funds directly to the criminal – who then disappears without a trace.

How to protect yourself from Business Email Compromise attacks

Attacks are always increasing and morphing in their delivery. There are multiple things you can do to stay on top of them and protect your business.

Educate Employees

The easiest and most impactful protection you can take is education. Your employees are the first line of defense for your business. They are in the trenches daily answering emails and communicating with your business partners and financial institutions. They are the most likely recipient of these email attacks.

Falling for one of these traps isn’t about intelligence. It doesn’t matter how smart (or stupid) your employees are. It’s about how aware they are.

This is where education comes into play. It teaches them about these attacks, their methods, practices, and how to safeguard against them. It’s training to be able to spot threats that are always evolving, and what to do if they’ve received one.

As I said, security against email attacks comes with awareness. We all get busy, distracted, and overwhelmed at times. That’s when you’re most likely to make a mistake and fall prey to an attack. That’s when you need your training to kick in before you act.

Training and education are not one-time events. It should be ongoing or periodically every few months. It also shouldn’t be boring. Everybody will tune out. Gamify it and make it fun. If you’re not sure how to approach this, then reach out and we can help.

Authenticate Email

This should already be done, but there’s a good chance it isn’t. I am astounded at the number of companies out there that do not have their email secured. All sizes of companies, companies with in-house IT staff, and even other IT service providers (this honestly scared me a bit).

Your email and domain need to be secured. There are established ways to do this, namely with Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC).

That’s probably all Greek to you, and that’s okay. I have an easy to understand write-up about it talking about covering the premise.

At the end of the day though, understand that email authentication serves to protect you, your reputation, and your business partners. Nobody should be able to spoof your email and pose as you.

Establish a Payment Process

Spending some time to establish some operational procedures will save you headaches later. Set your company rules and expectations.

Set two-factor authentication on all financial accounts (this should be done on ALL accounts anyways). Have two people approve payments so there’s always a second set of eyes on any financial transaction before the money changes hands. Set payments on a schedule, such as certain days of the week, which removes the potential for any fraudulent urgent requests to slip through the cracks.

Set up a policy for confirming changes. Let your business partners know that if there is ever a change to the financial processing (such as a new bank) that they will be notified in advance, in writing and verbally on a phone call, and by specific people or roles of the company. This clarifies the process and eliminates “on the fly” changes that will likely be fraudulent.

Additionally, set up a response plan. Only 28% of BEC attacks are reported. That’s troubling because you may already be a victim and not even know it. Your team should know what to do if an attack is made, and if it is successful. They should know how to report it to management, report it to IT, how to freeze payments, and how to contact law enforcement.  

Review Transaction

Schedule time for reviewing all your financial transactions. This is apart from your normal accountant reconciliation. Take time to scan completed transactions, looking for anomalies like new partners, new banks, or unexpected amounts that are not clear what they are for.

But isn’t it too late if the transaction is already made?

Yes, that’s true, but it allows you to know you were robbed sooner rather than later, find flaws in your security and processes, and most importantly – it stops a successful criminal from doing it again. Fool me once, shame on you. Fool me twice, shame on me.

Use Email Protection Software

Every business needs some form of email protection. Don’t believe me? Just look at your email inbox.

Email Protection will prevent most email attacks from getting to your inbox in the first place. They use a gamut of tools such as email rankings, protection policies, and machine learning AI to effectively block attackers from reaching your company inbox.

The impact of these tools is huge. Our customers are protected from hundreds of threats daily. That’s not cumulative. Some clients literally receive hundreds of threats a day. Those all get stopped before delivery, so they don’t have the headache of dealing with them.

What’s your email security solution?

Does this align with what you have set up? If so, great! If not, then you should start reviewing and implementing these securities as soon as possible.

If you want assistance with any of the technology or non-technical solutions, we’d be glad to help. Just get in touch.