Business Email Compromise: What It Is, Why It Matters, And How To Avoid It

As technology becomes more sophisticated so do criminal attacks. Business email  compromise (BEC) attacks are becoming more prevalent as fraudsters find new methods of accessing company email accounts and manipulating employees. Companies need to be  aware of the risks to avoid them. 

Most organisations now have robust firewalls, secure operating systems, and intrusion  detection systems. BEC techniques bypass these preventative measures by securing information through social engineering techniques. These can be much harder to spot,  control, and avoid. 

All companies are at risk of Business Email Compromise attacks 

If Facebook and Google can fall victim to a payment scam of over USD 100 million it is no  surprise that fraudsters are investing their energies in more elaborate BEC tactics. The FBI’s  2020 Internet Crime Report listed losses due to business and email account compromise as  over USD 1.86 billion. That accounts for almost half the sum lost to cybercrime. 

Organised crime operations are behind many attacks. Dark Halo, Nobelium, APT29 and Cozy  Bear are all names attributed to the group linked to the Russian Foreign Intelligence Service,  the SVR. Nigeria is another major source of cybercrime. 

The risk is real and can be extremely damaging. 

What are the main BEC scams? 

Attackers seek to acquire funds directly or information to access funds in the future. The FBI  has identified five main scams: 

• Fake invoices – these appear to be from legitimate suppliers, but accounts belong to  fraudsters. 
• Executive requests for payments – emails from the CEO or senior executives’  accounts will request transfers of funds to fraudulent accounts.  
• Hacked accounts – an employee’s email account will request invoice payments from  suppliers. Payments are diverted to the scammer’s account.
• Data theft – employees in HR and accounts departments are targeted for personally  identifiable information (PII) or tax information on employees. This can be used to  divert payroll funds. 
• Law firm information requests – emails seemingly from a company’s law firm will  request confidential information. 

Techniques evolve all the time. One recently identified is: 

• Requests for aging reports – this report, containing data on customer overdue  payments and contact information, can be used to send convincing payment  requests. 

Methods used in business email compromise cases 

Scammers will research and monitor targeted companies and employees. Fake emails will  be extremely convincing. Any company finance department will give you at least one  example of an employee making, or almost making, a payment to a fraudulent account. 

There are various techniques used: 

• Spam – unsolicited messages which can contain malware (see below) such as  keyloggers. They can be dangerous to open or respond to. 
• Spoofing – impersonating an individual or organization to gather useful information. • Phishing – emails that appear to be from a legitimate source that aim to extract  useful information. 
• Spear Phishing – information from websites or social networking sites is used to  make phishing emails seem more legitimate. 
• Pharming – a website users will mistake as belonging to a legitimate company, used  to gather usernames and passwords. 
• Malware –software used to damage or defraud. 

Ways to prevent business email compromise 

As well as diverting funds, BEC can lead to ransomware taking control of accounts or files  obtained until payment is made to release them. 

Education, internal controls, and software will all have a significant impact on a criminal’s  ability to access email accounts. 

1. Educate employees 

Make sure employees are aware of the risks and methods of business email compromise attacks. 

2. Email rules 

Avoid web-based emails and require multifactor authentication. For payment emails,  use ‘forward’ rather than ‘reply’.

Establish intrusion detection rules to flag emails sent from addresses with similar  domain names and when an email has a different reply address to the one shown. 

3. Website safeguards 

Secure and register similar domain names to avoid legitimate-looking websites and  emails being produced.  

4. Social media awareness 

Do not provide too much information on job titles, responsibilities, and so on. 5. Know your suppliers 

This makes it easier to spot unusual requests or changes. 

6. Payment approvals 

Use dual approval for payments and limit those who can make them. Verify account  details. 

7. Confirmation requests 

Verify with a confirmation email or call using information on file. 

8. Use the right software 

Trustpair software will take care of many of these processes, saving time and money.  Our Bank Supplier Check software will verify bank and corporate details worldwide. And  our Payment Security software will run an automatic check of payment files to detect  suspicious behaviour. 

As Deloitte says, “Now is the time for companies to educate themselves about BEC, train  their employees, and create an environment that encourages compliance”. 

We welcome any opportunity to show you how our software can transform your company’s  risk to business email compromise. Contact us to request a demo: keep your business safe  from cybercriminals. 

KEY TAKE-AWAYS

Business Email Compromise (BEC) is a real threats for every companies. Best practices to secure your organisation is mainly about three points:

• Know the scams to watch out for 
• Educate your employees 
• Install Trustpair software for an added layer of security