Mitigating the Risk of Business Email Compromise in Your Organization
Regardless of industry, businesses are constantly trying to mitigate risk. While technology has no doubt helped companies improve their processes and safety measures, it has also left them vulnerable to different kinds of cybersecurity risks.
Business email compromise (BEC) is a form of cyber crime that organizations must be aware of and work to identify and reduce its impact. In 2019, the FBI recorded 23,775 complaints about BEC, which amounted to more than $1.7 billion in losses. Each year, it appears that the number of BEC complaints grows as scammers find opportunities to target different areas of the business, like payroll and human resources.
BEC is a prevalent and costly risk that every organization should know about. Let’s explore more about its intricacies and how businesses can put internal processes in place and work with outside experts to mitigate them.
A Sophisticated and Costly Scam
A business email compromise scam is more than just your average phishing scheme — though that is often how it starts. The FBI elaborated that a BEC is one of the most financially damaging online crimes because it is relatively easy to complete yet the payout is immediate and can be large.
The law enforcement agency explained that a BEC typically begins when a scammer spoofs an email account or website. By obtaining a legitimate looking address from a vendor or person the recipient is familiar with, they can then target individuals within the company with financial power, like a procurement manager or someone in the C-suite. The scammer will use this spoofed email to make a legitimate request that typically requires an exchange of financial or other private company or personal information.
For instance, an email may arrive that appears to be from a vendor a business regularly deals with, asking for payment on an invoice to a different bank account. This may not appear out of the ordinary, so a CFO may think little about approving their request and sending over a payment. Similarly, a scammer could mimic the email of the company CEO and ask their assistant to purchase gift cards to send to employees and ask for the business credit card number.
BEC scammers know that spoofing emails of people and vendors businesses already trust can grant them access to their financial information. For large organizations used to spending money each day and interacting with multiple vendors, these doppelganger accounts are especially costly the longer they go undetected.
Strengthening Internal Systems to Avoid a BEC
Spotting a BEC from the start can be difficult due to how sophisticated the doppelganger accounts can appear. However, there are steps to mitigate the risk of someone from your company falling victim to this scam. Beyond knowing how to find a doppelganger account, it’s important for businesses to strengthen their internal systems against these scams.
Since these scammers are focused on finding out private personal information of the company, it’s essential that there are strong security measures in place to protect it. This starts with requiring two-factor authentication for accessing email accounts and making payments. When a scammer attempts to access a business account, this extra layer of protection may get in their way before they can complete the scam.
Of course, this doesn’t protect business users from receiving and interacting with a spoofed email. Companies must invest time and resources to enhance email spam folders and firewalls that can detect malicious emails before they even reach an employee’s inbox. This deeper layer of protection can help spot a BEC scam and other email fraud before it starts, which is essentially for mitigating financial losses.
What To Do if Your Business Email is Compromised
Sometimes, phishing emails still get past these internal controls, and that’s why it’s important for employees to never let their guard down online. Microsoft recommended businesses teach their team members how to spot a BEC scam by paying attention to the tone of the message. It explained that many scammers will make the need for information or payment extremely urgent, often pressuring the recipient to reply as soon as possible.
Make sure your employees understand that an urgent or unusual request may be a scam and give them the knowledge of how to identify whether it really is. This usually requires contacting the sender through another means, preferably a phone call, to ensure they made the request.
If you know your business has been a victim of BEC, it’s important to let your email provider and other important contacts, like your security partner, know. They will be able to check more business accounts for suspicious outbound mail and other activity to stop the scammer from accessing your critical company information and finances.
Finally, don’t forget to report the scam to the FBI and its Internet Crime Compliance Center. They will want to know about the BEC scheme to help stop similar ones in the future. From there, continue to improve internal systems and employee training to protect your business from another compromise.
Working With a Professional for Added Security
One of the best ways to prevent a business email compromise scheme before it starts is by working with a professional cybersecurity partner. As a sophisticated scammer continues to create doppelgangers of vendors and personnel you trust, it can be difficult to spot a fraudulent account. An expert in cybersecurity, however, can. With the right technology and knowledge, they can monitor the web and your internal systems to identify when a potential account is spoofed and alert your business before a phishing email is even sent.
With a trusted partner by your side, your business is prepared to respond, not react, to a business email compromise. This is the difference between continuing to protect your company’s financial information and scrambling to pick up the pieces and patch up your network.
Contact us today to learn more about how our services and solutions can protect your business’s most valuable assets.