Share This Article
Sign up to stay
While it has a bland name, Business Email Compromise (BEC) refers to a specific, nasty type of cyberattack that targets businesses of all sizes.
This sophisticated hack targets email communication within organizations. When successful, BEC can lead to financial losses, reputational damage, and compromised sensitive information.
What is Business Email Compromise?
At a basic level, BEC is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The cybercriminal spoofs a person or organization the target knows, like a supplier, and asks for a fake invoice to be paid, sensitive company information, or other data they can profit from. Cybercriminals can even use BEC to spread malware within an organization’s network by convincing employees to click a fake link or download a malicious attachment.
BEC attacks are increasing, especially as many organizations have employees working from home or in a hybrid work scenario in the wake of the COVID-19 pandemic. According to a recent report from software company Fortra, almost a quarter of emails that were delivered to corporate email inboxes in the first few months of 2023 were deemed “untrustworthy or malicious.” While ransomware grabs many headlines, BEC is a huge cybersecurity issue for companies as well.
Understanding the Tactics
BEC attacks come in various forms, but they are, essentially, a sophisticated, targeted evolution of phishing that focuses on organizations. In conducting a BEC attack, the hackers attempt to make their emails look as legitimate as possible and usually impersonate trusted entities like colleagues, suppliers, or executives. The attackers might even know about the person they are phishing, like their name and position. BEC emails might ask directly for money by asking for a fake bill to be paid, or they might ask for bank account information. On the other hand, they might request data, documents, or for the target to click on something that spreads malware.
If your employee or supplier’s email account is compromised, the attackers can hijack actual email conversations and ask to reroute payments or update direct deposit info, for example. Disable email forwarding outside of the organization – your system administrators can do this.
How to protect yourself and your company from BEC scams
Train your employees
The first line of defense against BEC is a well-informed workforce. Conduct regular cybersecurity awareness training sessions to educate employees about the risks associated with phishing emails, the importance of verifying sender information, and the reality of BEC attacks. Our 2023 Oh Behave survey found that 94% of respondents made some sort of behavior change after cybersecurity training, with over a third saying they started using multi-factor authentication and around 50% saying that they developed a better eye for phishing.
Adopt email authentication protocols
Implement email authentication protocols such as DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails. DMARC helps prevent domain spoofing and ensures that emails originating from your domain are legitimate.
Verify the sender
Whenever an email asks for money or sensitive information, verifying the sender through another form of communication is always smart, especially if the request is unexpected or strange. Call the supposed sender using a known phone number (not one in the suspicious email) or by meeting face-to-face.
Your organization should enforce MFA across all email accounts within your organization. MFA adds another layer of security beyond passwords and significantly boosts your securities. When implemented across an organization, MFA reduces the risk of unauthorized access even if login credentials are compromised.
Make sure your software is running the latest versions. Keep email servers, antivirus software, and other security tools up to date to protect against vulnerabilities. These regular updates ensure that your defense mechanisms can handle the latest threats.
Incident response plan
Your company should develop, and regularly update, an incident response plan to outline what will happen in the event of a BEC attack. The plan should include procedures for isolating systems, alerting relevant authorities, and communicating about the attack.
Use email encryption software to keep the contents of the emails hard to crack. Encryption ensures that even if an attacker gains access to email communications, the information remains unreadable without the appropriate decryption key.
Implement financial controls
All organizations should strive to maintain rigorous financial controls, especially when it comes to authorizing wire transfers or sensitive transactions. Implement a two-step verification process for financial transactions to minimize the risk of unauthorized transfers and changes to account numbers or payment methods.
Audit and monitor
Conduct regular security audits to identify and address vulnerabilities in your email system. Continuously monitor your system to detect unusual or suspicious activities, which enables a swift response to suspected BEC incidents.
Don’t be compromised by BEC
BEC remains a threat to businesses and other organizations, but with proactive prevention strategies and robust mitigation, businesses can strengthen their defenses. Foster a culture of cybersecurity awareness and stay vigilant against evolving threats. All these actions help you prevent BEC, as well as many other security threats.