Prevent Business Email Compromise Attacks

Nick Santora | February 14, 2018

Business Email Compromise attacks, otherwise known as BEC attacks, are when a hacker gains access to a corporate email account, then uses that account to trick employees, vendors, or partners into transferring funds out of the organization. These scams are a growing threat and businesses across the world must be aware of how to prevent BEC attacks. With a simple targeted email, hackers successfully scam thousands of organizations each year resulting in billions of dollars in losses, all while remaining under the radar. We are going to discuss some strategies your employees can use to prevent business email compromise attacks.

See what happens next. Watch the FULL episode!

How Business Email Compromise Attacks Happen

Hackers will use a variety of social engineering tactics to gain your trust and transfer funds. Modified email domains may also be used to convince you they are a trusted employee, partner, or vendor. Money is the motive, and fraudulent wire transfers are the primary goal behind BEC scams. However, privileged accounts and other sensitive data can also be targeted in these types of attacks such as human resource records, tax documents, and other financial data.

Hackers use a variety of tactics, and we are going to increase your awareness of the different techniques to prevent business email compromise attacks targeted at your employees. The hackers goal is to get you to quickly transfer funds without a thought that something could be suspicious about the transaction. The hacker may directly compromise an employee or vendor email account, then review previous communications to learn how to make transfers. The hacker will then write an email on their behalf requesting a transfer of funds. Being cautious may avoid disaster and prevent a business email compromise attack. A brief conversation in person or over the phone to confirm a financial transition is not a waste of time. Unusual requests, timing, and other indicators should raise awareness that something may not be right.

Alternatively, a hacker may acquire a domain name that looks very similar to one you are familiar with. They may use an extra letter, misspelling, or hypen within the URL. Take a look:

You may receive an email from:
[email protected]

But it actually originates from:
[email protected]

See the difference?

business email compromise attack

It is difficult to quickly tell the difference unless you examine the domain. The hacker will also use a friendly name that may even display the sender as Legit Construction Accounts Payable. That way, when you look in your email client, you would only see what looks legit to you. No pun intended.

Being cautious may avoid disaster and prevent a business email compromise attack. A brief conversation in person or over the phone to confirm a financial transition is not a waste of time. Unusual requests, timing, and other indicators should raise awareness that something may not be right. Time is of the essence if you believe you have identified or fallen victim to a BEC attack. Promptly notify your bank, management, and any other involved parties right away so they can attempt to recover any lost funds.

5 Steps to Prevent Business Email Compromise Attacks

Review Fund Transfer Process

One of the first processes your organization needs to review, is how to authorize and confirm transfer of funds. Let’s be clear here. A process is only as good as those who follow it. And if you follow a broken process, you aren’t doing much better. Review who has access to bank accounts, authorization privileges, and the exact steps needed to verify a transfer of funds. This process should be clearly communicated to all employees involved in requesting and transferring funds.

Be Cautious

Look for any cues or behaviors that seem out of the ordinary. Suspicious indicators of a BEC attack may include unusual timing, misspelled domains, modified account details, sense of urgency, or using private or misleading email accounts. Some organizations find that the tone or timing in the email message may be off. Sense of urgency is almost always a driver to get you to move forward with the transfer quickly. Organizations may even get an “out of band” email communication from a Gmail or private address saying they are having trouble with their corporate email. Don’t fall for this.

Always Confirm

You should never confirm a financial transaction with email alone. Always call the employee, vendor, or business directly to confirm and verify the specific details of the request before transferring any funds. What you are really doing is validating that request is legitimate and confirming the details of the transaction. If something seems suspicious, notify your management and IT right away. They can start to block and identify if any other accounts have been compromised and understand the situation. Also notify your bank if you experience a business email compromise attack to alert them of your account being targeted.

Follow Procedure

Hackers will try and bypass procedures to get you to quickly transfer funds. Follow your approval procedures and verify the authenticity of the request. Always involve multiple employees in your organization’s approval procedure for any transfer of funds. If a request comes in trying to bypass the procedure, you should now clearly understand the risks associated with BEC attacks. Hackers will use a sense of urgency to get you to act before you think, falling victim to their attack.

Security Awareness Training

Even if you have the best processes in place, they are not going to be effective unless employees follow them. Security Awareness Training is the best way to make your employees aware of business email compromise attacks targeting them. You should then train your employees on how to prevent business email compromise attacks. A great way to prevent business email compromise attacks by running your employees through mock simulations and process reviews. Without quality training on BEC attacks, you are putting your entire organization at risk of becoming a victim.

Just because you’re not in the accounting department, doesn’t mean you won’t be targeted in a BEC attack. Always follow your organization’s verification procedures, because hackers will use a sense of urgency making you act before you think. Take the time to scrutinize financial requests and always report any unusual attempts to transfer funds. Don’t let the first time your organization practices a business email compromise attack be under real life conditions. Practice makes perfect. Ensure your employees are aware of business email compromise attacks and follow your organization’s procedures.

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.