Providing cybersecurity for a business is challenging enough for IT professionals even when threats are well known. It gets more difficult if an employee is asked to do something that’s bad for the company without realizing the source of the request is a cybercriminal. Business email compromise (BEC) is an example of such a threat. Prevention depends upon employees being careful that they’re not tricked into doing something damaging for the company without knowing it.
Even if you’re not a cybersecurity professional, you’re almost certainly familiar with the scam technique known as phishing, in which cybercriminals use seemingly legitimate emails to trick people into giving out passwords and/or other sensitive information or click on malicious links or attachments. Using emails that appear to be from banks, online retailers and/or other trusted sources, these phishing scams can con people into providing information that can be used against them. What some professionals may not know is that a BEC scam can function in much the same way.
Either through hacking or simple deception, cybercriminals can gain access to corporate email accounts. This access allows cybercriminals to effectively assume the identity of a high-ranking company official, which enables them to send out emails that authorize the transfer of money for seemingly legitimate business purposes. In reality, however, these emails essentially trick well-meaning employees into stealing money for the criminals, and the losses can be devastating. According to the FBI, more than $960 million was stolen over a two-year period as a result of BEC scams. What’s more, these scams can strike any business at any time.
With a BEC scam, a single mistake can cost a business millions of dollars, so it’s crucial to take the steps necessary to protect your organization. These steps may include the use of verified codes when a request to transfer money is made, having an employee answer a security question or using another form of verification to make sure the request to move money is legitimate. Providing regular training regarding the most common BEC tricks is another important step companies should take to prevent being victimized. The accompanying guide details these and other ways to prevent BEC scams; professionals who want to make sure they’re always doing what’s right for their companies should pay attention and make all employees aware of this type of threat.
About the Author
Chris Cronin is a partner, principal consultant and ISO 27001 auditor for HALOCK Security Labs, a leading information security firm in Chicago. Cronin has more than 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. He is a frequent speaker and presenter at information security conferences and events.