Business email Compromise (BEC) is on the rise and no company is too small to become a target.
BEC happens when criminals fool victims into clicking on malicious links or into unwittingly assisting in financial theft by sending emails that mimic real senders and real companies.
I recently worked with a non-profit organization that was targeted in just such a scam. Publicly available information was used to create an almost convincing ruse. After a board meeting, an employee received an email from the supposed Board Treasurer with a request for access to the organization’s bank account because, “he had forgotten his financial documents in the meeting room.” Fortunately, the employee knew the Treasurer’s behavior well enough to realize the request was out of character and she did not comply, but just imagine if she had. Now, imagine how quickly one of your employees might want to comply with a request from a supervisor or valued client.
The Internet Crime Complaint Center (IC3) reported BEC schemes resulted in over $1.7 billion in worldwide losses in 2019. The FBI Cyber Division recently warned about BEC and offered 14 recommendation, most of which can and should be handled by your IT Security company.
TIPS any employer can immediately use:
Be weary of last-minute email account changes.
If you suddenly receive an email from a vendor or client regarding a financial matter and the email address has changed, call them and request verification of the email address.
Check email addresses for slight changes and text for stilted language.
In the case of the non-profit “Treasurer” the email address had the correct name, but the suffix was different. The grammar was also slightly off with incorrect pronouns and choppy sentence structure.
Turn off legacy emails and protocols.
Consider blocking legacy email protocols, such as POP, and harden SMTP and IMAP, that attackers can use to circumvent Multi-Factor Authentication (MFA). Old protocols can be easily attacked and hacked. Since many people reuse credentials on various platforms, it’s easy for an attacker to use a database of stolen credentials and attempt to log onto systems with these reused credentials.
Encourage employees to challenge suspicious financial and payment requests.
Most employees want to jump at the request of a valued client or supervisor, but that makes them naturally open to phishing and tricking. Embolden employees to back up digital processes with an old-fashioned phone call to confirm any request that seems out of the norm. No one should be upset to discover your employees are ensuring finances and data are being kept safe.
TRAIN employees on how to spot suspicious communications.
While going along with our busy days, safety training often takes a back seat. That is until something goes wrong. When something “goes wrong” with Business Email Compromise it could mean losses that are too large from which to recover. A five minute training or reminder session during staff meetings or sharing the above tips with employees can mean the difference between busy days of business and bad days of business loss.