Business Email Compromise: How to Minimize Risk

Cybercriminals aren’t slowing down and today’s organizations need a proactive approach to secure their communications. Business email compromise (BEC) exploits companies to financial risks and losses with criminals posing as legitimate vendors or employees to commit fraud.

An FBI alert from 2020 noted that BEC exploits cost U.S. businesses more than $2 billion by targeting cloud-based email services. In 2019, a single individual pleaded guilty to stealing $123 million from Google and Facebook using BEC scams.

To help you minimize the risk, this blog will look at how you can prevent a business email compromise exploit from succeeding.

What is a Business Email Compromise and How Can You Minimize Risk?

Sometimes called an email account compromise (EAC), BEC exploits target companies that conduct wire transfers to pay suppliers. Corporate email addresses that are usually publicly available enable cybercriminals to spoof businesses and entice executives or high-level employees to make fraudulent transfers.

To protect your business, here are five ways you can minimize the risks of BEC attacks.

1. Recognizing Different Attack Scenarios

Scammers will use different types of BEC attacks to swindle even the most diligent employees. By learning to recognize the different scenarios, you can reduce the likelihood of falling for an attempt.

The main indicators you need to look for are:

  • Creating a sense of urgency and secrecy – Attackers may pose as a legal entity or executive from another firm and send emails that insist you take immediate action while maintaining confidentiality about the transaction. The requested wire transfer may be for a business deal or even claim the company needs to pay a fine for breaching a regulation.
  • Impersonating domains – False domains are one of the most common BEC attack types. The email will request payment and provide a link to the website that looks the same as a legitimate company with a subtle change in the domain name.
  • Fake vendor or supplier – This type of attack is harder to spot as the scammer often has access to a vendor’s real email account. The email will have the correct domain name and include the required supporting documents for the wire transfer but the payment details will be for the scammer’s account.

2. Educate Employees about Attack Scenarios

Employees (especially executives and those authorized to make payments) are your first line of defense against a BEC attack. You’ll need to train them to recognize attack types and remind them to be diligent at all times.

Effective training programs should emphasize the risks and foster a sense of responsibility throughout the organization. You should share information about threats and any failed attempts with everyone in the company to increase awareness.

BEC attacks often depend on grooming a specific individual using social engineering techniques and relying on their deference to authority. Frequent communications and updates about BEC are the best way to ensure your resources remain vigilant.

3. Build Technical Controls into Your IT Landscape

BEC attacks aren’t technically sophisticated and depend mainly on psychological manipulation. Attacks may start with a spear-phishing campaign until the scammer has enough information to target a specific employee.

Technical controls can prevent spear-phishing campaigns from reaching your employees and encryption can keep all your communications safe from prying eyes. You can also use virtual private networks (VPNs) and multi-factor authentication (MFA) to keep your networks safe from unauthorized access.

4. Foster a Culture of Compliance

Scams evolve and training alone will not ensure your employees don’t fall for a BEC attack. Empowering employees is great for business but it does create additional risk when mid-level resources do not communicate with executives to verify every transaction or payment request.

Creating a compliance framework and fostering a culture that overcomes internal isolation can help prevent fraudulent transactions from slipping through the cracks. A culture of compliance will ensure your employees go through the required protocols every time and improve the chances of identifying a BEC exploit before it’s too late.

5. Review and Optimize Financial and Accounting Controls

The best way to defend against BEC exploits is to ensure you build controls into your financial and payment processing workflows. Map out the exact process you use for wire transfers and evaluate if you have any weaknesses that a scammer could exploit.

Use approval workflows before authorizing payments to ensure the initiators are valid and the transactions are legitimate business payments.

Secure Your Enterprise Communications with Wickr

The best way to minimize the risks in your enterprise is to move your business communications to a secure and reliable platform. Wickr provides you with all the tools you need to ensure your communication and information exchanges remain private using end-to-end encryption and manageable security controls.

Secure communications reduce the risk of exposing your information that could lead to a BEC attack. Wickr supports government agencies, the military, and enterprises with secure, compliant, and scalable communication solutions.

To secure your business communications and minimize the risk of a BEC attack, contact Wickr today.