Business email compromise (BEC) or “phishing” is a technique used to gain access to your company email so criminals can impersonate a co-worker, manager or other trusted business partner to steal sensitive data and money. With access to your business email accounts, criminals can steal money through fraudulent wire transfer requests, fake invoices, and diverting payroll. BEC emails usually contain no malware and are difficult to detect with common email filtering means.
How does a typical BEC scam work?
A common technique is email spoofing. Email spoofing occurs when the email appears to be sent by a legitimate sender but is actually sent by a criminal. For example, your accounts payable department receives an email from the CEO (who is traveling abroad) asking for $100,000 to be immediately wired to a new bank account of a trusted business partner. The employee complies. You later discover the new bank account belongs to a criminal who spoofed the CEO’s email account to divert the money.
Here’s how the bad guys work:
Phishing pages: Bad guys send a link to a bogus login page for a false Office 365 or Google page requesting your credentials. The page looks identical to the real Office 365 or Google login page.
Office 365 example: You get an email stating Jane Doe shared a file with you. When you click the link, it opens a fake Office 365 page and you enter credentials. Your credentials are now compromised.
Google example: You get an email that appears to be from Google warning you that your account may have been compromised, and you need to change your password. The website will provide a link to a fake Google login page where you enter your credentials. Your credentials are now compromised.
Keyloggers: A keylogger is malicious software that captures your keyboard strokes without you knowing. A phishing email may contain an innocent-looking link, but when you click the link, a keylogger is instantly downloaded and installed. Now, all keystrokes (including your personal bank accounts, social media, etc.) are sent to bad guys, including your usernames and passwords.
Three steps to protect your business from BEC.
Enable Two-Factor Authentication (2FA) on Email 2FA protects your organization because it adds another layer of protection to password-protected remote access to your network. This is the easiest and most effective thing your organization can do to reduce the risk of transfer fraud and it doesn’t cost a thing! Even if the hacker has stolen an employee’s login credentials, 2FA should prevent them from accessing your email and network
Train Employees to Recognize Phishing Teaching your employees to stay alert and recognize dangerous phishing emails is a great way to thwart BEC attacks. Employees should never click on an attachment or link an email from an unverified sender. Training your employees will protect your company from the number one cause of a cyber attack—human error.
Spam filtering and Email Configuration Your email server can automatically filter out certain suspicious phishing emails. Activating these filters is an easy way to prevent dangerous phishing emails from landing in your employees’ mailboxes. Use email filtering to quarantine suspicious emails, and scan documents and files before they are opened.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
