How to Guard Against Business Email Compromise
Published: June 3, 2024
Cybercrime in all its different forms is on the rise, and one of the most common types of cybercrime is business email compromise (BEC). Reported losses due to BEC totaled nearly $3 billion in 2023, which made it the second costliest type of cybercrime last year behind only investment scams, according to the FBI IC3 Internet Crime Report. This is an increase of 58% since 20201.
What is Business Email Compromise?
BEC, also sometimes referred to as phishing and spear phishing, can take many different forms, but it is usually targeted at employees who have access to corporate finances. In a typical scam, thieves use compromised or closely spoofed email accounts to trick an employee into initiating wire transfers to bank accounts they think belong to trusted partners. However, the money is actually wired into accounts controlled by the criminals.
While this might sound simple, the level of sophistication involved in executing this type of theft is very high. Business email compromise is especially dangerous because once wire transfers are sent, they generally can’t be reversed. So it’s smart to verbally confirm all wire transfer requests received via email to verify their authenticity. Use the phone number you have in your system instead of a phone number in the email, which could be a fake number that calls the scammers. This simple step can thwart many BEC schemes.
In another type of BEC scheme, cyberthieves send legitimate-looking emails to finance and accounting employees stating that the company’s bank accounts have been frozen due to suspected fraudulent activity. The emails ask employees to provide sensitive information so they can unfreeze the accounts. Instead, the criminals use the information to access and steal funds from the accounts.
Or the emails might instruct employees to click on a link that supposedly takes them the bank’s website to resolve the problem. Instead, the link leads to a clone site that downloads malware onto employees’ computers that enables thieves to capture sensitive account information and launch Man-in-the-Browser attacks.
Combatting Business Email Compromise
Here are four tips for combatting business email compromise:
1. Build a “human firewall.” Your employees are your first line of defense against BEC and other cyberthreats. So it’s smart to educate them about these risks and how to practice proper cybersecurity hygiene. For example, teach them how to recognize fraudulent spoof emails and scrutinize any funds transfer requests they receive by thinking critically (e.g., why are they requesting this transfer?).
Also emphasize the importance of password security and teach employees how to create strong passwords and change them regularly. Provide employees with a password management system and make sure they know how to use it. You can also conduct simulated BEC attacks to test employee readiness and shore up any weaknesses you see.
2. Take advantage of cybersecurity technology tools. There are a number of tech tools that can help prevent BEC, starting with identity verification tools like multifactor authentication and single sign-on. Digital certificates, also known as S/MIME certificates, add cryptographic digital signatures to your emails to increase security. These certificates also allow you to send encrypted emails to other digital certificate holders using their public keys.
You can go a step further by setting up DNS records for your email domain to prevent unauthorized users from sending emails from your domain. This will give servers reporting instructions regarding fraudulent messages to keep you aware of any suspicious activity from your domain. Also consider using verified mark certificates to display your verified brand logo in recipients’ inboxes. In addition, network monitoring tools can help you monitor domain traffic and IP addresses being used to sign in to your accounts.
3. Create and implement request verification procedures. Employees should follow detailed, documented procedures before initiating any wires or other types of electronic funds transfers (EFTs). This includes verifying the identity of anyone requesting funds via email through a different channel, such as face-to-face (if feasible) or over the telephone (as noted above).
It’s also smart to require that at least two separate employees originate and approval all wire transfers and EFTs. In addition, set aside a dedicated computer for employees to use for executing wire transfers and other financial transactions and don’t allow any web browsing or email use on the computer.
Also train employees to be on the lookout for fake phone and video calls requesting wire transfers and EFTs. Cyberthieves are using generative AI technologies to create audio and video deepfakes to initiate fraudulent funds transfer requests. If the employee asks questions and the caller ignores them or talks over them, there’s a good chance it’s a deepfake call.
4. Update computer software and browsers regularly. Software updates include security patches that help protect computers from BEC and other cyberthreats, so be sure employees update software whenever they’re promoted to do so. Also make sure employees are using the latest versions of web browsers with pop-up blockers, and consider adding key-logger software to all corporate computers.
Other Cybersecurity Threats
The widespread use of social media in our society also presents cybersecurity risks for businesses. Many cyberthieves are using popular social media sites like Facebook and Instagram to trick employees into downloading malware or divulging sensitive corporate information that enables them to hack into bank accounts.
Therefore, it’s critical to establish corporate policies that dictate what kinds of social media activity are allowed on work computers and what kinds aren’t. This could include an outright ban on social media activity on all corporate digital devices, if necessary.
Pay especially close attention to mobile devices since these tend to be a primary target of cyberthieves. For example, program mobile devices to delete content after a certain number of failed log-in attempts. You should be able to wipe these devices clean remotely in case they’re ever lost or stolen.
Cloud computing also presents cybersecurity threats since companies have less control over data that’s stored in the cloud than over data stored locally. Whatever cybersecurity standards apply at your business should also be applied to any service providers storing your data, as well as third party vendors they deal with. Find out what kinds of data protection measures they have in place and be prepared to switch service providers if you believe these measures are insufficient.
How Capital Bank Can Help
Talk to your managers about how you can implement strategies like these to guard against business email compromise. And contact Capital Bank to discuss how we can help you initiate wire transfers and EFTs safely.
1https://www.thesslstore.com/blog/business-email-compromise-statistics/