Business Email Compromise Attacks Are Costing Businesses Like Yours Millions

Business Email Compromise is an increasingly common cybercrime tactic today that doesn’t rely on technical vulnerabilities at all—it relies on you. Could you be putting your organization at risk?

A recent report by Palo Alto Networks has identified an uptick in Business Email Compromise attacks, as a result of the standardization of the attack vector. Cybercriminals can now acquire and deploy the weapon “as a service”, making attacks more effective and more common.

Similarly, Intuit has issued a warning to QuickBooks users about a new Business Email Compromise scam that is making the rounds.

Are you sure your business is properly defended about this tactic?

CSP, Inc. will help you mitigate the threat of Business Email Compromise. Get in touch with our team to discover how.

YouTube video

What Is Business Email Compromise?

Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments. In order to effectively defend against scams like this, you have to first understand how they are executed.

How Does Business Email Compromise Work?

In layman’s terms, a cybercriminal will write an email pretending to be from a known contact or organization (e.g. your bank), and request that a payment be processed—instead of sending the funds to a legitimate source, the payment will go to them.

Business Email Compromise can be carried out in a number of ways:

  • Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
  • Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
  • Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.

In some cases, cybercriminals may only spoof an email address, and in others, they’ll directly breach the target’s account.

Once a cybercriminal has gained access to a target’s email address, they can begin sending payment requests or simply redirect all invoices to a private folder for their perusal. Whether they’re redirecting incoming or outgoing funds, the end result is still the same—your business loses money.

Alternatively, cybercriminals can simply intercept an important financial document such as an invoice. They can either change the payment details or inform the recipient that the details have changed, substituting their own bank account for the business’.

Is Business Email Compromise A Serious Threat?

Let’s look at the facts—the average wire fraud attack costs $567,000, and the highest recorded was $6 million. The FBI estimates that BEC attacks cost a total of $1.87 billion just last year.

If you’re skeptical of how this type of scam could cause so much damage, consider the average amount you’re sending or receiving via wire transfer or invoice payments. One small business lost $15,482 in an instant when a cybercriminal intercepted a PDF invoice and redirected the funds to their account.

If just one fraudulent or misplaced email could cost you tens of thousands of dollars, it quickly adds up. That’s why you need to understand how Business Email Compromise works and how to defend against it.

Who Are Common Targets For Business Email Compromise?

While the CEO is often a target, cybercriminals can do plenty of damage by going after other members of an organization. There are a number of key, high-value targets that make it worth the cybercriminal’s time to go after.

Whether it’s their authority or their access to confidential information, these groups are all at risk for Business Email Compromise:

  • Financial Staff Members: While the finance department is especially vulnerable in organizations that regularly engage in large wire transfers, smaller businesses’ payroll data is also of high value to cybercriminals.
  • Human Resources: Similar to finance, HR is a key target for the data they store on employees, including birthdates, medical data and more, all of which are of high value to cybercriminals.
  • C-Level Executives: You don’t have to be the CEO to be a high-level target. CFOs have access to financial data, CTOs have access to login info, and everyone at this level has the authority to execute wire transfers and make large purchases.
  • IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.

Email Attacks Cost North Carolina Organizations Millions

How Can You Stop Business Email Compromise?

Know Your Targets: By noting the above listed key targets, you can examine the role they play in cyber security, and how their access and authority is being protected:

  • Review social/public profiles for job duties/descriptions, hierarchical information, out-of-office detail, or any other sensitive corporate data.
  • Identify any publicly available email addresses and lists of connections.

Defend Your Organization: Implementing the right range of cyber security solutions can help to protect common points of penetration for cybercriminals:

  • Email filtering
  • Multi-factor authentication
  • Automated password and user ID policy enforcement
  • Comprehensive access and password management
  • Whitelist or blacklist external traffic
  • Patch/update all IT and security systems
  • Manage access and permission levels for all employees
  • Review existing technical controls and take action to plug any gaps

Implement A Robust Security Policy: You need to dictate how members of the organization, top to bottom, contribute to your cyber security. Everyone with access to your IT environment should follow these best practices:

  • Don’t open attachments or click on links from an unknown source.
  • Don’t use USB drives on office computers.
  • Follow a Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
  • Participate in mandatory security training.
  • Learn to recognize phishing emails.

Plan Ahead To Mitigate Cyber-Risk: You need to develop a comprehensive cyber-incident response plan for your organization. Make sure to test it regularly, and update it to address any shortfalls. Make sure to implement your plan properly—it won’t work if your staff doesn’t know about it, and can’t participate in it:

  • Executive leadership must be well informed about the current level of risk and its potential business impact.
  • Management must know the volume of cyber incidents detected each week and of what type.
  • Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
  • A policy should be established as to thresholds and types of incidents that require reporting to management.
  • Best practices and industry standards should be gathered up and used to review the existing cyber security program.
  • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

Test Against Phishing: Share these tips with your employees to ensure they know how to spot a phishing attempt:

  • Genetic content: Cybercriminals will send a large batch of emails.  Look for examples like “Dear valued customer.”
  • “From” Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain.
  • Urgency: “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.
  • Check Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
  • Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass spam filters
  • Don’t Click Attachments: Virus-containing attachments might have an intriguing message encouraging you to open them such as “Here is the schedule I promised.”

CSP Will Train Your Team To Spot BEC Scams

Even the most effective digital security measures can be negated by simple human error.

So much of cybersecurity is dependent on the user, and as such it’s vital that you properly educate your employees on safe conduct. The more your workforce knows about the security measures you have in place, the more confidently they can use the technology in a secure manner.

We can help—with PII Protect‘s proven cybersecurity curriculum, we’ll help you show your staff how to use business technology in a way that doesn’t put your business at risk.

We offer a comprehensive employee Cyber Awareness Training program developed by PII Protect that combines regular online training, simulated phishing attacks, and dark web monitoring. The three components of this curriculum include:

  • Phishing Training and Testing: Ensure your users know how to identify a dangerous email.
  • Security Awareness Training: Give your users the knowledge they need to contribute to organization-wide cybersecurity.
  • Policies and Procedures: Implement proven best practices for maintaining robust cybersecurity across your staff.  With our help, your staff will contribute to your cybersecurity, not compromise it.

Whether You’re An Easy Target Or Not Is Up To You

The bottom line is that everyone in your organization, top to bottom, is a potential target. Make sure everyone is following cyber security best practices and is protected.

If you need expert assistance defending against cybercriminals and training your staff to recognize social engineering scams, get in touch with CSP, Inc.

IT Companies in Raleigh

Download Our

IT Company in Raleigh

On What Questions You Need To Ask Before Signing Any Agreement.

Raleigh IT Support

Latest Tweets