As part of Cyber Security Awareness month, we’re taking a look at some of the ways in which you can protect your business and learn more about some common cyber security issues that are frequently faced by companies and businesses. One of these issues is Business Email Compromise (BEC).
Business Email Compromise is a type of phishing attack that targets businesses in an attempt to defraud the company. The criminals behind business email compromise scams attempt to create convincing-looking emails which may ask for unusual payments, or contain links that disguise harmful viruses and attachments which are activated when downloaded or opened.
Unlike standard phishing emails which are sent out to hundreds of recipients, BEC attacks are designed to appeal to certain, targeted individuals, usually senior executives. Business email compromise is a threat to businesses of all sizes, across a number of different sectors. Let’s take a look at what business email compromise is, the effects it can cause and how to spot signs of a BEC.
How do BEC attacks work?
Business email compromises are typically directed to an individual or small group of people, as opposed to a large number of users with other email phishing scams. BEC attacks rely on being able to impersonate or look like someone within a position of power or authority. Cyber attackers can do this in a number of different ways, such as:
Domain spoofing
By default, email address verification isn’t integrated into email protocol. This means that attackers can copy and impersonate display names and sender addresses of an email in order to make it look like it came from an internal source within the business. SMTP (Simple Mail Transfer Protocol) allows senders to define a different email address from which to send replies, which then ensures that they receive any replies to the email.
Lookalike domains
Lookalike domains are designed in order to take advantage of characters which can be easily confused. For example, microsoft.com and microsott.com can be easily confused and look similar enough to recipients who aren’t paying close attention to email senders.
Account compromisation
If a BEC attacker has access to a legitimate email account, then they can use it for a business email compromise attack. This then adds a level of authentication and protection as the email is actually being sent from a trusted address.
Business email compromise attacks take advantage of having a seemingly-legitimate email address in order to trick the recipient into carrying out a certain action. One of the most common goals of a BEC attack is to convince the targeted recipient to send money to the attacker, whilst under the assumption that they are performing a legitimate and authorised business transaction.
What are the different types of business email compromise attacks?
There are 5 primary types of BEC attacks:
False invoice scams
With false invoice scams, scammers will pretend to be a vendor or client asking for payment for services that are performed for the business. Scammers carrying out this type of business email compromise attack will often impersonate one of the business’s suppliers and use a convincing email template, but change payment details to those used by the scammers.
CEO fraud
CEO Fraud is when scammers take advantage of easily-found positions of power within the company. Scammers will then send emails which are seemingly from the CEO which instruct the recipient to take action. They often say that they are in a meeting and need to send money to a client or pay an invoice to secure business goods and, as a result, recipients are less likely to check with them and will send the money.
Account compromise
BECs including account compromises take advantage of a compromised email account within a business and, with this access, the scammer can request invoices from customers, whilst changing the payment details to those of the scammer.
Lawyer impersonation
This type of business email compromise takes advantage of low-level employees within a business who are more likely to comply with requests from lawyers or solicitors as they often aren’t sure what protocols are in place. Scammers who take this approach often make their request seem time-sensitive and indicate that it involves confidential information so as to try and avoid verification.
Data theft
Business email compromise attacks aren’t just used in an attempt to steal money from a business. This type of attack targets Finance and HR personnel in an attempt to steal sensitive information about employees within the business. This information can then be sold on or used to plan and execute future BEC or phishing attacks.
How to protect your business against BEC attacks
A successful business email compromise can be hugely costly to your business, but there are some ways in which you can protect your business against BEC attacks. As business email compromise emails are a type of phishing scam, implementing an anti-phishing strategy can help protect against BEC attacks, as well as other phishing attacks. Our managed IT support services can get this set up for you and monitor on a regular basis.
When it comes to phishing attacks, such as business email compromises, often human error is the most likely cause. As BEC attacks often focus on and target employees within your business, it’s important to ensure that your employees know how to identify and respond to a phishing attack. We can carry out phishing simulations within your organisation to help teach and educate your employees on the signs of a phishing attack and the best response should they receive a suspicious email.
Make your business a harder target
Information about your business and employees which can be easily found online can be used by cyber criminals to make their BEC attacks more convincing. It’s important that all businesses take steps in protecting their company against a business email compromise attack, but even more so if you work with or handle sensitive information.
Review your privacy settings
Check the privacy settings of your business social media and professional accounts, and ensure that, if you work in a sensitive business area, you encourage your employees to check their personal privacy settings, too. Think about the information you post online, as this can provide data that scammers can use to execute their business email compromise attacks.
Report suspicious emails
If you spot any suspicious emails, then be sure to flag them as spam or junk and let our team know that you’ve identified it as being suspicious and potentially unsafe.
Rethink your emails
Could your emails be mistaken for phishing emails or a business email compromise scam? With modern email settings, some emails can be mistakenly flagged as spam or dangerous based on their content. Have a rethink of how you format and write your emails and consider changing them to make sure they come across as legitimate.
If you think you’ve been a victim of a business email compromise attack, then contact our team of cyber security experts for advice on what to do next and how to start the recovery process. Remember, the earlier you let us know, the quicker we can help.