What can I do to mitigate Business Email Compromise?

What is Business Email Compromise?

Ever had the experience of trusting someone only to end up being betrayed? Well, business email compromise is the email way of being back stabbed by someone you’ve trusted. Only in this case, it’s not actually that person swindling you of your company's valuable information, but an imposter posing as that person.

Business email compromise (BEC) is a result of a successful social-engineering attack carried out by a scammer. Parties with malicious intent will spy on their victims for quite some time so that they can familiarize themselves with their routine. This will serve as valuable intel for scammers so that they can manipulate the employees of an organization by posing as a CEO or other people from higher authority.

Who is most likely to be targeted?

BEC tactics hinge on targeting top-level executives and working down the corporate ladder. The people most at risk of this scam are a company's CEO, COO, CFO, and HR manager. In the last stage, it will trickle down to unsuspecting entry-level employees.

Compromising the email accounts of high-ranking executives opens the doors for a wide array of attacks, as the scammers exploit the executives to extract proprietary information worth millions of dollars by completely bypassing their IT security infrastructure.

The company’s clients and customers are also defrauded of their money as a result of BEC. For example, scammers will often pose as the company’s financial department manager requesting that the client pay an invoice. Instead, the payment will be made to a bank account controlled by the scammers.

Examples of Business Email Compromise 

While not an exhaustive list, these are just a few examples of how BEC can happen even in companies with the strictest email security policies.  

Impersonating the CEO 

This BEC attack has the highest chance of deceiving the victim into giving up whatever the scammer asks for. Here, the scammer This attack has the highest chance of deceiving the victim into giving up whatever the scammer asks for. Here, the scammer gains illegal access to the email ID of a company's CEO and asks unsuspecting employees to send money as soon as possible via that email.

Overdue fake invoices

In this case, the fraudsters will pose as a trusty external vendor and send a fake invoice to a company urging them to pay it as soon as possible to avoid a penalty. Because this type of BEC presents itself with a sense of urgency, victims end up playing right into the hands of the scammers.

Attorney manipulation

Usually targeting new employees who will likely comply to a request from a legal body, these employees are asked to send money or sensitive information to the scammers, who are posing as company attorneys. This request will mostly be time sensitive and will also ask for complete confidentiality so that the employees can't validate the request.

Data compromise 

A successful BEC scammer gains access to important email accounts of an organization, such as the HR director or CFO. From there, the fraudsters are free to steal vital information, such as employee social security numbers or banking account details. This information can then be used by these scammers in a future attack.

How can organizations be better equipped against business email compromise attacks? 

These examples may seem scary and make you want to forgo using email entirely in your company. But as with any threat, there are many ways to counter BEC attacks. These include both technical safety measures and contributions from the company’s employees, managers, and officers.

Technical measures

On the IT side, there are a number of things developers and technicians can do to guard against a BEC attack. The first step would be to host your email with a secure cloud email provider.

This will be your first line of defense in whatever potential attack the scammer has launched against you. These email providers come with built-in filters to weed out any emails with fishy subject lines or that come from questionable domains.

Enable multi-factor authentication  

Most email providers have the option to enable multi-factor authentication (MFA). This will go a long way in your defense against BEC attacks because the scammers can't gain access to your email account even if your password becomes compromised.

Invest in machine-learning analysis tools 

Tools such as Cloudfare bot management were developed with the aim of combating BEC attacks. These tools employ advanced machine learning algorithms to be on the lookout for email text that appears out of the ordinary and immediately flag them as spam.

Include natural language processing models 

John is the head of customer success in a company. Suddenly he receives an urgent request to pay $10,000 to an employee. He has nothing to do with finance but, depending on the sender, he might be tempted to walk right into the scammer's trap. A natural language processing model will catch such out-of-place emails and flag them for BEC, thereby preventing John from ever receiving such malicious emails.

Human factor preventive measures

Educating everyone in your organization about what a BEC attack might look like can be your best defense against the attack penetrating your firewalls and other email security measures. Some possible employee initiatives you could employ are explained below.

Train employees to detect spammy emails 

A BEC attack will have certain tell-tale signs that can reveal the lack of authenticity of any email. If an employee senses that the email sender is outside the organization or the URL the email is redirecting to doesn't seem legit, they should report it to the compliance team.

Create a culture that challenges the authenticity of high-priority requests  

An employee getting instructions from the CEO to wire transfer money to a particular bank should validate the request before proceeding. This can be crucial in evading the scare tactics used by BEC scammers.

Conduct surprise training exercises regularly 

The in-house compliance team can send emails imitating a BEC attack to check how their employees respond to them. The conclusion of these exercises can be recorded and used to provide training to employees to equip themselves against BEC attacks.

Wrapping up 

BEC is a real thing even with all the advancements in email security nowadays. By following the advice in this article, you can improve the chances your company's email stays secure on a holistic level.

Being deceived by your most trusted people wasn’t cool during the times of Julius Caesar, and it’s most certainly not cool now. This is why BEC scams shouldn’t be taken lightly because of the hefty losses they can inflict on any business.

The adverse implications that a successful business email compromise can have on your business and how this type of scam presents itself can be found in Part 2 of this article. This will help you spot and stop an attack dead in its tracks.