Cybersecurity is a top priority for businesses right now, especially in the aftermath of the Colonial Pipeline ransomware attack that led to gas shortages in the southeast.
Even very small businesses need to make sure they’re up-to-date on cybersecurity best practices and the threat landscape.
One threat in particular that a business of any size needs to know about and protect against is the business email compromise or BEC.
What is a Business Email Compromise?
Business email compromise occurs when a cyber attacker hacks into a corporate email account. Then, they impersonate the company owner and attempt to defraud said company, customers, vendors, or employees. Their goal is to get someone to send money or data to their account.
A BEC is also known as a man-in-the-middle attack or a man-in-the-email attack.
A man-in-the-middle or man-in-the-email attack occurs when there are two parties that think they’re directly talking to each other, but in reality, there’s an attacker who’s reading their conversations and even changing their communication to one another.
How Does It Work?
The first step for an attacker who wants to launch a business email compromise scheme is to research. Attackers will go through publicly available information that they can find on your business social media, website, press releases, or local media.
It’s pretty easy to find company owners and executives, including their names and titles.
Then, once they’ve gathered the information they think they need, a cyber attacker can start working to gain access to an email account.
A cybercriminal could change the reply-to address just as one example, so the person whose email they’re accessing won’t realize it.
Another way to do it is to use a spoofed domain that just barely changes the actual email address.
Types of BEC Schemes
There are some specific types of BEC approaches a hacker might use, including:
- Fake invoices: In this scenario, malware or phishing can be used to get into a company email system. The criminal can then take over the email account of an employee to request funds transfers or payments of invoices. The email is sent from a compromised account asking for a specific amount to pay the invoice, and there’s often a sense of urgency in how the email is written. The employee who’s targeted trusts the person sending the email, so they then, if the attack is successful, end up sending money to a fraudulent account.
- CEO fraud: In this example, a criminal will fake an executive’s email account and then steal from the company using it. This is when the spoofed email will usually be just slightly different from the actual email to the point that most people wouldn’t notice.
- Account compromise: Using phishing techniques, an employee’s email account can be breached, and then the attacker will get the contact list for company suppliers. They can send emails from the hacked account asking for payments which are then sent to a fraudulent account.
- Theft of data: In this type of attack, a cybercriminal might get access to a human resources email and then request confidential information that can be used as part of a larger attack to gain data.
How Does It Happen?
Again, a cybercriminal can find all the information they need to successfully launch a BEC from publicly available information. Then, once they have that information they can use phishing in most instances to hack a company email.
After gaining access to company emails, the hacker can target people with urgent emails.
How Can You Prevent It?
Your employees are your weakest point when it comes to BEC attacks and any kind of phishing-related cybersecurity issue. Your employees need to be educated on the risk factors of BEC attacks and how to prevent them. Go over simulations of what phishing could look like.
You should also make sure that you’re regularly communicating with your employees about everything related to phishing and email security.
Strong password policies are important, and employees shouldn’t click on links or attachments unless they’re expecting them.
Multi-factor authentication should also be an integral part of your IT security policy which can help reduce the risk of unauthorized email access, especially if someone is trying to log in from a new location.
If an email comes through that asks for money or seems to have a sense of urgency, the policy should be to verify it by phone or in person. Employees should reach out to the person who sent it right away before they take further action.