What is Business Email Compromise and How Can You Protect Your Business From It?

October 2, 2023

October marks the beginning of Cybersecurity Awareness Month. For business owners, cybersecurity should be a year-round priority, but this dedicated month serves as an essential reminder to re-evaluate security practices. One of the most pressing threats in today's digital landscape is business email compromise (BEC). Read along to learn more about what BEC is and learn strategies to tackle this cyber threat.

What is Business Email Compromise (BEC)?

Business email compromise, often referred to as BEC, is a sophisticated and malicious cyberattack that targets organizations, their employees, and their financial assets.  According to the FBI, BEC  “is one of the most financially damaging online crimes.” This attack hinges on impersonation and manipulation, where cybercriminals deceive employees into thinking they are communicating with a trusted colleague or superior. Once trust is established, the attacker tricks the victim into taking actions that benefit the attacker. BEC attacks typically come in three primary forms:

  • CEO Fraud: In this scenario, cybercriminals impersonate a high-ranking executive, such as the CEO or CFO, and request that employees transfer funds, share sensitive data, or engage in other activities that compromise the company's security.
  • Invoice Fraud: Attackers compromise a supplier's or vendor's email account to send fraudulent invoices to the target organization. These invoices appear legitimate, convincing employees to make payments to the criminal's account.
  • Employee Impersonation: Cybercriminals impersonate an employee, often someone in the finance or HR department, to mislead colleagues into sharing confidential information, such as employee records or financial data.

Example of How Most BEC Attacks Happen 

A BEC attack can come in many forms. Here is a quick guide to help you spot infected emails: 

  • Falsified sender domain
  • Includes spelling and grammatical mistakes
  • Emphasizes urgency in both the email subject and content
  • Demands a monetary transfer
  • The requestor holds a prominent role within the organization

How to Tackle Business Email Compromise (BEC):

Protecting your business from BEC attacks requires a multifaceted approach that encompasses technology, education, and vigilance. Here are some effective strategies to help safeguard your organization:

Employee Training and Awareness

Educate your employees about the dangers of BEC attacks. Train them to recognize common BEC red flags, such as unusual requests for fund transfers or sensitive information. Encourage a culture of vigilance when dealing with email requests, even if they appear to come from trusted sources.

Passwords & Multi-Factor Authentication (MFA)

Ensure that your organization enforces strong password policies, including regular password changes and the use of complex passwords.

Enforce MFA for all email accounts and sensitive systems. This adds an extra layer of security by requiring users to provide multiple forms of verification before accessing their accounts.

Verify Requests for Money or Sensitive Information

Before acting on any email request for fund transfers or sensitive data, have a secondary verification process in place. This could involve a phone call to the requester using a known and trusted phone number.

Incident Response Plan

Develop and regularly update an incident response plan specific to BEC incidents. This plan should outline the steps to take in the event of a suspected or confirmed BEC attack, including reporting the incident to the appropriate authorities.

                                              ____________________________________________

As we observe Cybersecurity Awareness Month, remember that cybersecurity is not a one-time effort but an ongoing commitment. By understanding the threat of business email compromise and implementing robust security measures, you can protect your business, your employees, and your bottom line from the perils of cybercrime. Stay vigilant, stay secure, and keep your business safe in the digital age.

Please note: The content in this article comes from individual opinions and experiences. The content should not be taken as advice coming from City National Bank of Florida. City National Bank of Florida does not offer tax, legal or accounting advice.

Sources: 

CISA.gov

FBI.gov



Related Posts

Stay Connected

Sign up for our newsletter to stay up to date on banking, product and service updates!