Combating Business Email Compromise Risks

Most people have heard of the classic email scams, often involving Nigerian princes who claim to deposit money into people’s bank accounts, but first, they require the target to send them money to facilitate the process.

It’s a well-known tactic, that unfortunately continues to resurface, catching new victims each time.

The only way to stay safe from these kinds of email attacks is to stay informed.

BEC Scams

Business Email Compromise (BEC) scams are all too common and have continued to evolve over the years.

It maintains its core premise but will adapt to trap unsuspecting victims in personalised and novel ways.

This scheme has become so prevalent over the years, that it currently dethrones ransomware as the most destructive cyberattack worldwide.

One suspected reason for this is that cyber security providers, and the software they use is now incredibly efficient, so it’s easier to target people by tricking them, instead of getting through the layers of IT protection.

Losses

Back in 2021, BEC-related losses were over $2.4 billion in the US, according to the FBI’s Internet Crime Complaint Centre (IC3).

Perpetrators of these scams will deploy strategies that exploit real-time global events, such as COVID-19, or the trust you have in established personal relationships.

These tactics will let them get the better of their targets, and the sophistication and speed of these scams only make it worse.

Examples of this insidious trend include:

• Criminals pretending to be trusted vendors and offering crucial personal protective equipment to healthcare providers.
• A major company sharing employees’ payroll data with an unknown individual, masquerading as the CEO.
• Organisations tricked into transferring substantial amounts of money to a supposed business partner, only to end up delivering it straight into the hands of threat actors.

How to Stay Safe:

Security Awareness Training

To ensure that you and your business are protected from attacks like this, prioritising employee education is essential, for example, we provide security awareness training to our client’s staff.

For instance, if a staff member in your financial department receives an email from a purported business partner, requesting alterations to their preestablished digital transaction details, what would they do?

Your team should see this as a red flag straight away and verify the request with the designated point of contact to confirm any changes.

Although this seems intuitive, precautions like this can be overlooked, especially when there are busy schedules and looming deadlines.

Scammers can craft incredibly convincing and personalised disguises when carrying out BEC scams.  

Threat Detection

Your best bet is to take a multi-faceted defensive stance, it’s crucial to implement threat detection mechanisms alongside staff education.

Mechanisms like these will aid you and your IT team in identifying threats and malicious activities, issuing swift alerts, and guiding appropriate responses and remediation efforts.

This involves monitoring abnormal behaviour, both within on-premises systems and across cloud platforms.

Cloud Monitoring

It is also important to recognise that BEC threats will typically mimic regular user actions.

So, given the rise in remote work in recent years, reliance on cloud services like Microsoft Office has grown significantly.

However, these services tend to operate under protected, intricate environments.

If a threat actor were to infiltrate your organisation’s Office 365, accessing valuable data is almost effortless.

Traditional parameter defences, like firewalls, can struggle to monitor suspicious behaviour in cloud-hosted applications, such as Office 365, SharePoint, and OneDrive.

The same applies to endpoint monitoring; if a threat actor bypasses perimeter defences and gets user credentials, any actions they take will seem ordinary to the technology as they have the correct credentials to carry out these tasks, but it is actually a serious threat.

Cyber Security Support

Moreover, maintaining an adequate IT security team is imperative.

If there is a threat, swift action, prevention, and resolution are key.

Unfortunately, many businesses lack the resources to assign staff to 24/7 monitoring of their systems.

Should an alert trigger in the middle of the night, it’s likely that nobody will see it until the working hours the next day.

The delay of notice and comprehension of a threat can determine whether your business successfully defends itself or sustains what can be catastrophic harm.

Managed threat detection and response services, provided by an MSP, can act as force multipliers, especially when continuous monitoring isn’t possible.

Other Safety Tips

As well as all the above strategies, the following guidelines, provided by the FBI, can greatly improve your defences and heighten awareness among employees, helping you fend off BEC attacks:

• Maintain scepticism: Verify any last-minute changes to wiring instructions or recipient account details.
• Exercise caution with URLs: Confirm that the email’s linked URL corresponds to the claimed business source.
• Watch for misspellings: Be vigilant about inaccurately spelt hyperlinks in domain names.
• Validate sender email addresses: Especially when using mobile devices, ensure the sender’s email address matches the purported source.
• Stay observant: Signs of business email compromise include unusual scenarios such as employees receiving sudden, urgent requests from high-ranking officials they don’t usually interact with, discrepancies in an employee’s location or activity, and unexpected activity from employees on leave.
• Report suspicions: If anything appears suspicious, report it to your managed service provider or IT Security supervisor.

For a deeper understanding of BEC threats and effective defence strategies, don’t hesitate to contact us for a comprehensive discussion.