Cyberthreats: Business Email Compromised

Cybercriminals continue to become more sophisticated, leveraging a wide range of tactics to attack their victims. One tactic that has increased in frequency, complexity and resulting losses over the past few years is the use of business email compromise (BEC) scams. Essentially, BEC scams consist of cybercriminals impersonating an individual or entity within their targets’ trusted networks for malicious gains.

There are several different types of BEC scams, including:

False invoice scheme—A cybercriminal impersonates an organizational supplier to trick their target into paying fraudulent invoices or transferring funds to a phony account.

CEO fraud—A cybercriminal impersonates a senior-level employee or executive and requests that their victim conduct a wire transfer to a fake account.

Account compromise—A cybercriminal hacks into an employee’s or executive’s actual email account and distributes messages to various contacts.

Attorney impersonation—A cybercriminal impersonates a lawyer or other legal representative and requests a payment be made to a phony account.

Data theft—A cybercriminal impersonates an HR professional to trick their target into sharing personal information about employees or executives.

Any employee can become the target of a BEC scam, putting the security and financial stability of an entire organization at risk. Organizations can implement the following cybersecurity measures to help avoid BEC scams:

Educate employees. Minimizing losses from BEC scams starts with training employees to detect and prevent such instances. This includes refraining from sharing personal or work-related information on social media, avoiding opening or responding to unknown individuals or organizations and being wary of emails that lack personalization, contain spelling and grammatical errors, request sensitive details or use threatening language.

Implement effective payment protocols. Having safe and secure payment procedures within an organization can help stop BEC scams before any money is lost. Instruct employees who handle the organization’s financial operations to carefully analyze invoices and fund transfer requests to ensure their validity.

Restrict access to sensitive data. Only provide employees with access to sensitive organizational data if they are trusted and require such information to conduct their work tasks. Protect this data with access controls and multi factor authentication measures.

Utilize security features. Make sure all organizational devices possess adequate security features to help deter BEC scams—including access to a virtual private network, antivirus and malware prevention programs, email spam filters, data encryption capabilities and a firewall. Update these security features as needed.

Have a plan. Ensure the plan specifically addresses response protocols and mitigation measures for BEC scams.