Business email compromise (BEC) attacks are exploits where cybercriminals get unauthorized access to a business email account to steal the owner’s identity. The compromised accounts are then used for carrying out highly convincing social engineering scams against employees, partners, and customers. These attacks are almost always carried out for direct financial gain, such as tricking accounting staff into transferring money to accounts owned by the criminals.
BEC attacks are especially dangerous because they tend to be carried out by sophisticated cybercriminals who deploy a wide range of tactics to establish trust and legitimacy. They don’t rely on randomly sending out emails like standard phishing scams. Instead, they scour publicly available information about their intended targets so they can send contextual requests and impersonate corporate executives.
Given the high success rates of BEC attacks, it’s important for businesses to raise awareness of BEC scams during this year’s National Cybersecurity Awareness Month. Fortunately, there are several proven ways to stop BEC threats:
1. Security awareness training
Technological solutions can only go so far to protect your business and your employees. The truth is that most cyberthreats exploit human ignorance, simply because it’s much easier than trying to work around cutting-edge cybersecurity controls. That’s why every business should have a security awareness training program that educates all employees on the threats and how to identify them. One of the most effective and engaging ways to train employees is to conduct hands-on labs and simulated social engineering attacks so they can correctly identify and report attempted BEC and other attacks.
2. Principle of least privilege
Implementing strong access controls can protect business email and other systems from being accessed by unauthorized users. The principle of least privilege holds that an employee should only ever be granted access to the systems and data necessary for doing their jobs. For example, there’s no reason for an employee to have access to payment systems if it’s not required in their roles. The principle of least privilege also protects against insider threat, whether accidental or deliberately malicious.
3. Multifactor authentication (MFA)
Having a strong password policy will safeguard your systems from BEC attacks, but it’s not enough by itself. When accessing sensitive data, especially from unfamiliar locations, devices, or networks, employees should always have to verify their identities. With MFA, employees have to enter additional information on top of their usernames and passwords before they can be granted access. Popular MFA measures include things like one-time security tokens provided using a mobile authenticator app or dongle, or an SMS message.
4. Enterprise-grade spam filtering
Although spam filtering won’t be able to block more sophisticated BEC attacks, it will greatly reduce the amount of malicious emails that make it through. Rule-based business-grade spam filters can, for example, immediately detect things like spoofed domain names and identities, which people can easily miss.
Advanced spam filters can also detect malware, such as port scanners and keyloggers, which attackers may use to gain access to your business network. They even allow you to regulate attachments and other email content more efficiently, which, in turn, boost productivity, thanks to less time spent manually reviewing suspicious emails.
5. Strict payment processes
Many BEC attacks involve bogus invoice schemes, where criminals send out emails asking for payment. Less sophisticated attacks may use spoofed email addresses, while advanced tactics include leveraging account takeovers to send malicious emails directly from a legitimate account.
For example, some attackers use a stolen account to impersonate a CEO or another high-level executive in an effort to extort money from them. For this reason, it’s important to thoroughly separate and regulate payment processes and avoid giving employees access to any financial or accounting information unless they absolutely need it to do their jobs.
Online Computers provides managed security services that keep you safe from business email compromise and other threats. Contact us today to schedule a consultation.
Ensure a productive remote workforce!
Enter your name and email address on the respective fields on the right to receive our FREE guide to ensuring your staff's productivity while working remotely.