How To Protect Your Company From Business Email Compromise

Phishing scams have been around for a long time. You’ve probably received an unexpected email telling you that one of your accounts has been compromised or that one of your friends is stuck in a foreign country and needs you to wire money immediately. Maybe you’ve been notified that you’re being evicted or that your computer antivirus protection needs to be updated.

The emails direct you to click a link to download software or to enter your banking information. If you follow the instructions, you end up with malware on your computer or fraudulent charges on your credit cards. Phishing emails are annoying, but, in most cases, a trained eye can spot the fakes.

Phishing emails often have misspelled words, domains that don’t seem quite right, missing signatures, grammatical mistakes, or other telltale signs that tip you off to the scam. As long as you know what to look for and stay alert, you and your employees can avoid becoming a victim of traditional phishing scams.

What if the usual telltale signs are missing from a phishing email? What if the attack email looks 100% legitimate because it really came from the email account of a person or organization you trust? The chances that you or someone in your company would fall for the trap are much higher. Unfortunately, that’s what happens in a business email compromise, or BEC. This article will help you understand business email compromise and how you can take steps to protect your company.

Understanding Business Email Compromise

According to the FBI, business email compromise schemes resulted in $1.7 billion in losses to companies in 2019 alone. Data from Check Point Research suggests that the numbers for 2020 are even higher, as cybercriminals have taken advantage of the disruption caused by the global pandemic to launch hundreds of thousands of cyber attacks on distracted workers.

A business email compromise happens when a bad actor gains full access to someone else’s email account. There are many ways the attacker can gain this access. They can guess usernames and passwords on a popular email platform like Microsoft 365 or Google Mail or use stolen credentials from a data breach. They can also try tricking an individual through a conventional phishing attack to type their password into a malicious Web site that harvests the password. However it happens, a business email compromise allows a cybercriminal to exploit both the organization that owns the account and other organizations they do business with.

Once an attacker gains access to an email account, they patiently research their targets’ habits, contacts, and email patterns. This allows them to avoid the mistakes that traditionally give away phishing emails. BEC attacks are rarely carried out via mass emails. Instead, malicious cyber actors choose a limited number of targets and work to maximize their profits before they are discovered.

BEC attack emails always look like they’re from a trusted source because they are from that trusted source: They are, from a technology perspective, indistinguishable from legitimate emails, meaning spam filters cannot catch them. The attack email requests that you take action such as paying an invoice, purchasing gift cards, modifying direct deposit information, providing personal information, or opening an attachment. They can be sent to other individuals in the same organization as the compromised account or external parties. They can even intervene in the middle of a legitimate email exchange requesting to modify a transaction you are already approving, such as by changing the account number to send the payments to. The attacker’s goal is generally to profit financially from the email immediately, but some forward-thinking actors may use these attacks to gain information that will let them steal even more valuable data or gain further access to the company network to profit later.

Preventing Business Email Compromise

The best way to mitigate the risks with BEC attacks is to prevent the attacker from gaining access to your users’ email accounts in the first place, which can be accomplished through foundational cybersecurity practices.  The following steps will help keep your network safe from BEC attacks and other schemes.

  • Require employees to use long, unique passwords and to change them frequently. No one likes having to invent strong new passwords, but this simple step is one of the strongest defenses against business email compromise.
  • Implement MultiFactor Authentication and make it mandatory.  MFA requires employees to take extra steps, but the cybersecurity payoff is worth the extra time and effort.
  • Have your users (or your IT staff, with management’s permission) review the automatic rules configured within your users’ email accounts. BEC attackers use these rules to help mask their activities (such as by automatically moving emails from banks to the deleted items folder) or to help gather and steal data (such as by automatically forwarding a copy of any email with the word “invoice” in the subject to an external email address for analysis)
  • Have your IT staff both review and manage email login policies. This can include reviewing logins to look for activity from countries or regions your users are known not to operate out of or to put restrictions in place for locations and times of day that you allow logins to your email system.
  • Train your staff to recognize suspicious emails and avoid sites that impersonate legitimate sites to ask for credentials. Your employees are crucial to defending against BEC, but they’re also a critical vulnerability if they’re not invested in your cybersecurity policies. Take the extra time to ensure that your employees understand why recognizing BEC schemes is essential and how it relates to your company’s overall success and security.

Identifying Business Email Compromise Attacks

While preventing BEC attacks in the first place is always preferred, it may not always be possible. Cybercriminals may find a way around your protections and compromise one of your users’ accounts, or they may compromise the account of an outside party (for which you can’t directly implement cybersecurity policies) and use that outside party to launch BEC attacks against your organization.

BEC attack emails are sophisticated, as the attacker has already invested the time to gain access to an email attack and doesn’t want to give themselves away before they get what they’re after. Employees must be vigilant to help spot these BEC attacks and notify the IT or cybersecurity team immediately if they suspect anything unusual. The following actions will help your workers successfully fend off BEC schemes.

  • Pay attention to the details. BEC email identifiers may include unusual word choices or sentence structure from what the sender typically sounds like.
  • Have verification policies in place. Having requirements like all wire transfers must be verified by at least two people (the requestor plus one other) before being made can stop many BEC attacks in their tracks.
  • Have validation policies in place. Even if your CEO is allowed to authorize writing a check without a second approver, you can still have policies in place to validate the request really came from the CEO. If you get such a request via an email, validate it by having a policy that also requires a voice validation: Call your CEO on the phone to confirm it was really them that issued this request. If you call the sender to validate the request, make sure you call them on a previously-verified phone number, not the one the attacker provided to you in their email signature!
  • Resist requests to bypass your policies. BEC attackers often make their requests (such as wiring money, writing a check) with a sense of urgency or requests for discretion. Be wary if you receive such requests – even if the sender is familiar – as the attacker may be using social pressures to get you to skip your verification and validation steps.
  • Listen to your suspicions. If you suspect a case of business email compromise, take precautions and immediately notify your IT or cybersecurity team so they can take appropriate action.

Take the Next Steps

Cybercriminals continuously devise new ways to attack companies. Business email compromise and other malicious schemes get more sophisticated all the time. You need to stay up to date on the latest cyber attacks and how to defend against them. Take advantage of the excellent free cybersecurity resources available to you. If you have questions or concerns about your current cybersecurity strategy, book a discussion with one of the experts at designDATA to get started.

+ posts

Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.