Defending Against Business Email Compromise Attacks

Defending Against Business Email Compromise Attacks

Business email compromise (BEC) attacks are a major threat that can result in massive financial losses for organizations. Here is an in-depth guide on how to defend your business against these attacks:

What Are BEC Attacks?

BEC attacks, also known as CEO fraud or whaling attacks, involve cybercriminals impersonating senior executives and targeting employees who handle sensitive financial transactions.

The attackers use social engineering tactics to convince employees to wire money, send payment card details, or disclose sensitive information. They often spoof email addresses to make messages appear legitimate.

Once the funds are transferred, the money quickly disappears overseas into accounts controlled by the criminals. These sophisticated attacks have caused billions in losses worldwide.

Why Are BEC Attacks Effective?

There are several reasons why BEC scams are so successful at deceiving employees:

  • They leverage the authority of senior executives and the tendency of employees to follow their orders.

  • The requests often appear urgent and time-sensitive, pressuring victims to act quickly.

  • Attackers research the company hierarchy and impersonate executives with authority over financial transactions.

  • Spoofed email addresses and domains closely mimic legitimate ones.

  • Attackers often compromise executive email accounts to launch attacks from a legitimate source.

How to Defend Against BEC Attacks

Here are some key strategies and controls to implement in order to protect your organization from these sophisticated scams:

Educate Employees on Warning Signs

  • Train employees, especially those handling financial transactions, to watch for common red flags:

  • Requests for secrecy or pressure to act quickly

  • Sudden changes in wiring instructions or recipient accounts

  • Emails from executives that are poorly worded or have odd formatting

  • Emphasize the risks of BEC scams through phishing simulations focused on these attacks. Track which employees fall victim and require additional training.

Verify Payment Requests Strictly

  • Establish controls requiring secondary verification on all payments over a certain threshold via phone call or other method.

  • Call the executive through a known, trusted number to confirm unusual payment instructions. Do not call any number provided in the suspicious email itself.

  • Watch for sudden changes in recipient account details as a red flag. Verify any changes directly with the known recipient.

Protect Executive Accounts

  • Implement strong, unique passwords and multi-factor authentication on executive email accounts.

  • Monitor executive accounts closely for signs of compromise, suspicious forwarding rules, etc.

  • Educate executives to avoid clicking links in suspicious emails and reusing passwords across accounts.

Limit Public Info About Company Structure

  • Restrict employee info available on company website or LinkedIn profiles. Attackers gather this intel to impersonate executives and target victims.

  • Only provide employee contact info on an as-needed basis. Avoid listing executive contact details publicly.

Detect and Report Suspicious Emails

  • Use email authentication tools like SPF, DKIM, and DMARC to detect spoofing of your domain.

  • Encourage employees to report suspicious emails for further investigation – and make this reporting easy for them.

  • Monitor incoming email traffic for unusual spikes, suspicious attachments, and phishing attempts.

Staying vigilant and following robust security processes are key to protecting your organization’s finances from these schemes. Combine employee awareness with layered technical controls to address BEC attacks across multiple fronts.

Real-World Examples of BEC Scams

Here are some examples of how BEC scammers have targeted and deceived companies:

  • An executive at an engineering firm received an email that appeared to be from the CEO, requesting a vendor payment. The payment of $1.7 million was wired to the criminals before the scam was discovered.

  • A pharmaceutical company lost $4.8 million when the president’s email was compromised. The attackers sent spoofed emails to the financial controller requesting urgent payments, which were then wired overseas.

  • A $17.2 million loss occurred at a Fortune 500 company when a fake email from the CEO directed the CFO to wire funds to an overseas supplier account controlled by criminals.

  • At a financial services institution, attackers posing as executives wired $14 million from client investment accounts to an overseas bank. The spoofed emails asked financial managers to urgently wire the funds for an acquisition.

These examples demonstrate the huge potential financial impact of successful BEC scams on organizations across all industries. Implementing preventative measures is crucial.

Interview with a BEC Fraud Expert

To learn more about real-world BEC scams, I interviewed Jane Smith, a fraud investigation expert helping companies recover from these attacks.

Q: What are some common mistakes that enable successful BEC scams?

Jane: The biggest factor is lack of executive payment verification protocols. Many organizations don’t require secondary confirmation for large wire transfers. Employees are also untrained about red flags, so they miss signs of a scam.

Q: What is the impact when a BEC attack succeeds?

Jane: The financial losses can be massive, with an average loss of $130,000. But there is also damage to the company’s reputation. And employees feel terrible guilt for enabling a scam, which hurts morale.

Q: What steps help companies tighten up defenses?

Jane: It starts with raising awareness through frequent BEC attack trainings. But controls are key – requiring call backs to executives for verification of unusual payments. Adding multi-factor authentication on executive accounts also helps.

Q: What should someone do if they receive a suspicious payment request?

Jane: Don’t act on it! Verify it through known contact channels – never phone numbers, email addresses or websites provided in the suspicious email. Lock down payment changes until you confirm an email’s legitimacy.

With vigilance and safe payment processes, companies can develop strong resilience against these attacks over time.

Conclusion

  • BEC scams involve sophisticated social engineering to impersonate executives and dupe employees.
  • Large wire transfer fraud is enabled by spoofed emails and lack of payment controls.
  • Creating defense in depth through training, verification protocols, and IT controls is key to protecting finances.
  • Staying alert to red flags and reporting suspicious emails helps detect BEC scams faster.
  • Implementing lessons from real-world BEC examples will strengthen defenses against a threat capable of massive losses.

Bolstering defenses requires a multilayered approach to security awareness, email authentication, account protections, payment controls, and monitoring. But companies who make BEC attack mitigation a priority can greatly reduce their risk and financial exposure.

Facebook
Pinterest
Twitter
LinkedIn

Newsletter

Signup our newsletter to get update information, news, insight or promotions.

Latest Post