Business Email Compromise Scams Skyrocket
The FBI reported a nearly 500 percent rise in business email compromise (BEC) incidents, with cases occurring in all 50 states and in 150 countries. BEC scams, also known as spear phishing, CEO fraud and invoice fraud, have tricked companies out of $150 million in losses.
According to research from Proofpoint, BECs are bursting in popularity over the past year with a 476% increase in incidents from Q4 2017 to Q4 2018. Any company could be a victim: Alphabet and Facebook have lost $100 million thanks to BEC scams.
What is business email compromise?
BEC scams are more sophisticated than the average phishing attempt. In a BEC scam, the hacker sends an individual, personalized email to specific company employees. Popular targets are employees who manage finances or would have access to sensitive information. This is in contrast to less complicated phishing scams, which involve sending mass emails to a list and hoping someone clicks a link or opens an attachment.
Hackers research the company and create an email or profile pretending to be senior management or a business partner. They may create a spoofed email account or manage to steal login credentials to the person’s real email. The hacker sends an urgent request for a wire transfer or sensitive employee information, citing consequences if the employee doesn’t comply, such as paychecks not going out on time or delaying a time-sensitive order. Some hackers go as far as calling the targeted employee to add legitimacy. Wanting to please who he thinks is his boss, the employee complies.
Because of the urgency and the convincingly real email, the employee may not realize he’s been the victim of a BEC until it’s too late.
How do I prevent losses from BEC scams?
BECs don’t contain malicious links or attachments, so spam filters are unlikely to catch the emails. Some of the ways you can protect your business and your employees from BEC scams are:
- Ask all employees to add 2-step verification to their email accounts to protect against takeovers.
- Ban employees from using personal emails for business, and work emails for personal business.
- Avoid using a private email server unless you have the technical capabilities on staff to effectively manage security.
- Employ the DMARC email security protocol to verify safe domain senders.
- Ensure that any sensitive processes that hackers are seeking like wire transfers and releasing payroll data need to be authorized by more than one person.
Informing employees about BECs is a great first step to preventing losses from BEC scams. Many employees are targeted around the same time, so it’s important for employees to share when they’ve received a suspicious email and notify all employees. Regular cybersecurity training is important for preventing not only BEC scams, but also other cyber threats.
When you partner with IDMI.Net to create your website and business email accounts you receive our commitment to protecting your information. Find out more by contacting us today.