81% Surge in Business Email Compromise: Expert Insights
Imagine you’ve stepped out for your morning coffee. After a frantic morning of back-to-back meetings, you’re in a hurry, so you duck quickly into the café across the street.
But, as you go to tap your smartphone to pay, it pings.
Another email from your boss.
It’s marked urgent.
Swiping away the notification, you’re curious.
He is out of town at a conference.
As you idly wait, you decide to open the email. Your boss is asking for your help as he is dealing with a customer complaint and wants to resolve it immediately. Curiously, he asks you to purchase a Myer gift card and send him the details to give the client.
Myer is around the corner in Bourke Street, so you know you can grab a gift card on the way back to your desk.
And without knowing it, you’re now a victim of a business email compromise (BEC) scam.
Did you know that email has been part of our daily lives since the mid-1990s? Email is a ubiquitous part of how we communicate. But with over 340 billion emails sent each, the threat of cybercriminals launching an attack continues to grow.
Business Email Compromise (BEC) attacks surged 81% in 2022, and 98% of employees failed to report the threat.
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a scam in which cyber criminals use email fraud to target their victims. Many attacks are launched against businesses and individuals, focusing on those who perform online banking transfers.
For example, cybercriminals impersonate a high-level executive or business partner. They email employees, customers or vendors requesting they make payments or transfer funds in some form.
According to the FBI, BEC scams cost businesses around $1.8 billion in 2021, increasing to $2.4 billion in 2021. In Australia, companies lost $227 million in 2021. These scams cause severe financial and reputational damage to businesses and individuals.
How does a BEC attack work?
BEC attacks are usually well-crafted and sophisticated, making it challenging to identify them. The cybercriminal first spends time researching the target company and its employees. They learn about the company’s operations, suppliers, customers, and business partners by accessing freely available information. For example, they can find much of this information on your company’s Facebook or LinkedIn profiles and your website.
Once they feel they have sufficient information, they write a convincing email. The criminals craft an email that appears to be written and sent from a high-level executive or a business partner.
The email will request the recipient to make a payment or transfer funds. Typically, as part of the scam, it’s written to emphasise the request being for an urgent and confidential matter — for instance, a new business opportunity, a vendor payment, or a foreign tax payment.
Another way the attacker may gain trust is by using social engineering tactics, such as posing as a trusted contact or creating a fake website that mimics your business’s site. These cunning tactics make the email appear more credible.
If the recipient falls for the scam and transfers the payment, they become victims of the BEC scam and are often left with a financial loss.
How to combat Business Email Compromise
BEC scams can be challenging to prevent. However, there are simple measures businesses and individuals can implement to mitigate the risk of falling victim to them.
Train and educate team members
Companies should educate their team members about the risks a BEC scam poses. Training could include identifying BEC scams and ways to avoid them, including well-known tactics scammers use.
In your learning material, you can highlight how criminals use urgent requests, social engineering and fake websites to build trust with the victim.
When planning your training, you must include email account security, such as:
- Checking their sent folder regularly for any unusual emails;
- Creating a strong email password with at least 12 characters;
- Regularly changing their email password;
- Reliably storing their email password;
- If they suspect a phishing email, contact your IT team.
Implement email authentication
You can enable protocols that help verify the authenticity of the sender’s email address. Email authentication protocols can also reduce the risk of spam and keep your emails from landing in junk mail folders.
Email authentication protocols can include the following:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
Introduce payment verification processes
You can deploy a payment verification process for your company, such as two-factor authentication (2FA). Another protocol to consider is confirmation from multiple parties. When this protocol is implemented, all bank transfers are confirmed legitimate as both parties must consent to the request being actioned.
Be sure to review financial transactions
An effective way to combat BEC is to check all financial transactions regularly. It would help if you looked for irregularities, such as unexpected bank transfers or changes in payment instructions.
Establish a schedule to regularly conduct these checks that align with your business and transaction volume to guarantee that it becomes part of your operating rhythm.
Introduce a response plan
Unfortunately, your company may fall victim to a BEC scam. To be prepared on how to respond, create a plan outlining procedures to handle the incident. You may consider policies and guidelines for stopping a transfer and notify the police or relevant regulatory bodies.
Start using anti-phishing software
Businesses and individuals can use anti-phishing software to detect and block fraudulent emails. With current advancements in artificial intelligence (AI), these tools become more powerful and machine learning is gaining widespread use.
Does your Melbourne business need support with email security?
You can take action to protect your business from a BEC scam. Schedule a call today to discuss powerful strategies and secure your business against emerging cyber threats.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.