We all depend on email to conduct business. Cybercrime grows at about the same rate as our increasing dependence on digital technology, and Cybersecurity is constantly on the prowl for new solutions. A significant cyber threat facing businesses today is Business Email Compromise (BEC). It’s a monster and it is evolving and growing at a rapid rate.

BEC attacks jumped by 81% in 2022, and the biggest part of that problem is that approximately 98% of employees fail to report the threat.

What are BEC attacks?

Business Email Compromise (BEC) attacks are a type of scam in which criminals use email fraud to target victims including both businesses and individuals. They especially target those who perform wire transfer payments.

Typically, the scammer pretends to be a high-level executive or business partner (whose email accounts they have copied or hacked), and sends emails to employees, customers, or vendors. These emails request them to make payments or transfer funds in some form.

According to the FBI, BEC scams cost businesses around $1.8 billion in 2020. That figure increased to $2.4 billion in 2021. These scams can cause severe financial damage to businesses and individuals as well as to their reputations.

What makes a BEC attack?

BEC attacks can be difficult to identify because they are usually well-crafted and sophisticated – a bit more planning than goes into a typical phishing attack. The attacker first researches the target organization and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.

Much of this information is freely available online. Scammers can find it on sites like LinkedIn, Facebook, and organizations’ websites. Once the attacker has enough information, the stage is set for an attack in which they craft a convincing-looking email to dupe the victim. It's designed to appear to come from a trusted source.

The email will request the recipient to make a payment or transfer funds. It usually emphasizes that the request is for an urgent and confidential matter. For example, a new business opportunity, a vendor payment, or a foreign tax payment.

The email will often contain a sense of urgency, what advertising designates as a ‘Call to Action,’ compelling the recipient to act quickly (without time to think things through). The attacker may also use social engineering tactics. Such as posing as a trusted contact or creating a fake website that mimics the company's site. These tactics lend more legitimacy to the email.

If the recipient falls for the scam and makes the payment, the attacker wins, and the victim loses.

How do you protect against Business Email Compromise?

BEC scams can be challenging to prevent. But there are measures businesses and individuals can take to cut the risk of falling victim to them.

Security Awareness Training for Employees

BEC is not the only threat that organizations should educate their employees about, but this should be spotlighted in ongoing Security Awareness Training because of its rapid rise. Employees need to know how to identify and avoid these scams m- and report them. Employees should be aware of the various tactics used by scammers. For example, urgent requests, social engineering, and fake websites.

Training should also include email account security, including:

Checking their sent folder regularly for any strange messages

Using a strong email password with at least 12 characters

Changing their email password regularly

Storing their email password in a secure manner

Notifying an IT contact if they suspect a phishing email

Enable Email Authentication

Implement email authentication protocols for better security.

These include:

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Sender Policy Framework (SPF)

DomainKeys Identified Mail (DKIM)

These protocols help verify the authenticity of the sender's email address and reduce the risk of email spoofing. Another benefit is to keep your emails from ending up in junk mail folders.

Deploy a Payment Verification Process

Every organization should deploy payment verification processes, such as two-factor authentication (2FA) and/or require confirmation from multiple parties. This ensures that all wire transfer requests are legitimate. It’s always better to have more than one person verify a financial payment request.

Initiate a Response Plan

This would be a sub-category of a general Incident Response Plan (IRP), which provide directives for general threat events. Organizations should establish a response plan specifically for BEC incidents, including procedures for reporting the incident as well as freezing the transfer and notifying law enforcement.

Use Anti-phishing Software

Find good anti-phishing software: Ironscales and Trustifi are two well received tools. They detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools become more effective.

The use of AI in phishing technology continues to increase. Businesses must be vigilant and take steps to protect themselves.

Frequently Asked Questions

Q: What action is required when you have received a suspicious email at work?

A: The first step for the affected employee should be to report it to management or IT support, but whether a company’s Policies & Procedures (P&P) actually require it is another matter. It needs to be required, or your IT team is left in the dark - with no idea how many attacks are attempted.

Q: What is considered a suspicious email?

A: The commonsense indication is that it’s just odd, like receiving a short message with a link or attachment from a friend or associate (who never sends you this type of thing) saying “I think you’ll get a kick out of this.” Also, any email that requests personal information, generic greetings (or lack of greetings) when the sender should know you, misspellings, unofficial "from" email addresses, unfamiliar webpages, and misleading hyperlinks are the most common indicators of a phishing attack.

Q: Should you report phishing emails to police?

A:  Not necessarily the police per se, like the LAPD or your local police department, but you should file a complaint with the FBI’s Internet Crime Complaint Center (IC3). Reporting is easy and convenient.

Q: What does an IC3 complaint do?

A: Incoming complaints are reviewed by the IC3 and referred to the appropriate law enforcement and regulatory agencies, for criminal, civil, or administrative action, as appropriate. Investigations and any prosecutions are decided by the agency that receives the complaint.

How secure is your network?

As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.

The best defenses are expert Cybersecurity to protect your data from theft, and a top-notch MSP to ensure continued reliability and defenses against newly emerging threats.

With our 100% Money Back Guarantee in writing, we offer a risk-free way for prospective clients to try us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

IT Support LA is an award-winning Managed Services Provider (MSP):
o  3 Years awarded Best IT Support by the Small Business Expo
o  Awarded 2nd best company of any type in the US by the Small Business Expo SB100
o  Awarded Best IT Support in California by Channel Futures
o  Winner of Best IT Support in Los Angeles by Channel Futures
o  Listed as one of the world’s Top 501 MSPs by CRN and in the top 250 in the   ‘Pioneer’ listing
o  4 years listed as one of the Top 501 MSPs in the World by Channel Futures
o  Listed as #21 Managed Services Provider in the World in Channel Futures NextGen 101
o  Globee 2021 Bronze Award winner for Chief Technology Officer of the Year
o  Globee 2022 Gold Award winner for Chief Technology Officer of the Year
o  Named one of 2022’s 50 ‘Best’ businesses in California by UpCity
o  Named Best of IT winner by UpCity
o  Winner of Local Excellence Award for 2021, 2022 and 2023 by UpCity
o  Named Best of Cloud Consulting winner by UpCity
o  Certified as Top Managed Services Provider and Cybersecurity Pro by UpCity
o  Named Best IT Services in Los Angeles by Expertise.com.

Would you Like Some Help with Email Security Solutions?

It only takes a moment for money to leave your account and be unrecoverable. Do not leave your business emails unprotected. Give us a call today to discuss our email security solutions and take advantage of our FREE network and security assessment.