Business email compromise (BEC) or “phishing” is a technique used to gain access to your company email so criminals can impersonate a co-worker, manager or other trusted business partner to steal sensitive data and money. With access to your business email accounts, criminals can steal money through fraudulent wire transfer requests, fake invoices, and diverting payroll. BEC emails usually contain no malware and are difficult to detect with common email filtering means.
How does a typical BEC scam work?
A common technique is email spoofing. Email spoofing occurs when the email appears to be sent by a legitimate sender but is actually sent by a criminal. For example, your accounts payable department receives an email from the CEO (who is traveling abroad) asking for $100,000 to be immediately wired to a new bank account of a trusted business partner. The employee complies. You later discover the new bank account belongs to a criminal who spoofed the CEO’s email account to divert the money.
Here’s how the bad guys work:
Phishing pages: Bad guys send a link to a bogus login page for a false Office 365 or Google page requesting your credentials. The page looks identical to the real Office 365 or Google login page.
Office 365 example: You get an email stating Jane Doe shared a file with you. When you click the link, it opens a fake Office 365 page and you enter credentials. Your credentials are now compromised.
Google example: You get an email that appears to be from Google warning you that your account may have been compromised, and you need to change your password. The website will provide a link to a fake Google login page where you enter your credentials. Your credentials are now compromised.
Keyloggers: A keylogger is malicious software that captures your keyboard strokes without you knowing. A phishing email may contain an innocent-looking link, but when you click the link, a keylogger is instantly downloaded and installed. Now, all keystrokes (including your personal bank accounts, social media, etc.) are sent to bad guys, including your usernames and passwords.
Three steps to protect your business from BEC.
Enable Two-Factor Authentication (2FA) on Email 2FA protects your organization because it adds another layer of protection to password-protected remote access to your network. This is the easiest and most effective thing your organization can do to reduce the risk of transfer fraud and it doesn’t cost a thing! Even if the hacker has stolen an employee’s login credentials, 2FA should prevent them from accessing your email and network
Train Employees to Recognize Phishing Teaching your employees to stay alert and recognize dangerous phishing emails is a great way to thwart BEC attacks. Employees should never click on an attachment or link an email from an unverified sender. Training your employees will protect your company from the number one cause of a cyber attack—human error.
Spam filtering and Email Configuration Your email server can automatically filter out certain suspicious phishing emails. Activating these filters is an easy way to prevent dangerous phishing emails from landing in your employees’ mailboxes. Use email filtering to quarantine suspicious emails, and scan documents and files before they are opened.
