Protection against email threats is a significant concern for cybersecurity in business. Email attackers use many tactics to send malware, steal sensitive information, or manipulate employees to become victims and cause enormous financial damages to their companies.
Business Email Compromise (BEC), also known as whaling and CEO fraud, is an elaborate email scam in which fraudsters use social engineering tactics to prey on businesses and senior company executives.
In 2017, an official FBI public announcement indicated that over 40,000 businesses experienced Business Email Compromise (BEC) and Email Account Compromise (EAC) attacks and reported a combined loss of $5.3 billion. The figure is estimated to rise to $9 billion in 2018.
Usually, a BEC scam target business working with foreign suppliers and/or business that perform with wire transfer payments.
If you look at the FBI statistical data from December 2016 to May 2018, the BEC/EAC scam continues to grow, 136% increased, and targeting small, medium and large business, and also personal transactions. The victims of BEC also come from a variety of industries, which mean there’s no one sector is a favored target.
This type of attack comes in some forms: a fake invoice scam, impersonating a lawyer or an accountant or impersonating a higher ranked employee, namely a CEO or CFO. Usually, this is a financially-motivated attack. Less frequently, it is competitor disruption or a country-sponsored attack (espionage).
For the impersonation to occur, the attackers will investigate which individuals have authority in financial transactions. The more the attackers know about a company’s structure and processes, the better this attack will be. BEC is successful because it relies on authenticity. Attackers usually spend weeks or even months collecting detailed information about the company, the executive they intend to impersonate, and the victim.
As a result, emails include a forged company domain and email signature, private information about the organization’s finances, products, internal organization, and market plans. In some cases, attackers use the executive’s language mannerisms in internal communication and even confirm money transfer requests via phone call.
That’s why a BEC scam is difficult to detect because it appears to be legitimate from the company’s perspective and uses social engineering techniques. So, it’s important that everyone at the company is informed about the risks of BEC.
- Implement security awareness programs: the company has to train all employees about the dangers of BEC and teach them how to recognize suspicious, and malicious emails.
- Identify suspicious and malicious emails: employees need to understand how to identify email addresses and cross-reference them in the company’s database. Learn how to verify personal information, signatures, and style of communication of executive officers and most important never reply to suspicious emails.
- Set up an email gateway and screen incoming emails for words like “payment”, “immediate”, “urgent”, “sensitive” and “secret” – common keywords in fraudulent communication.
- Improve existing email infrastructure: avoid using free web email services, business leaders, CTO and cybersecurity officers should establish secure company domains and upgrade security with advanced email protection service.
As new fraud schemes arise it’s important to protect your business against BEC scams (impersonating level executives, sending phishing emails from which appears legitimate sources or request wire transfers), which lead to intrusion and access to their victims’ credentials.
To see how AnubisNetworks MPS can protect your business email against BEC and other advanced email threats, schedule a demo today!
For more information about how to protect your company against Business Email Compromise (BEC), read Preventing Business Email Compromise - How to Protect Your Organization.