What is BEC and why should you care?
So let’s start with the basics. What is BEC?
Business Email Compromise (BEC) is a type of scam in which criminals use email fraud to target victims. The scammer pretends to be a high-level member of your company, usually a CEO or partner, and requests urgent payments or information.
And why should you care?
Well, these kinds of attacks have been on the rise significantly. They increased 29% in 2021, and as many as 98% of employees fail to report the threat, either due to not recognising the scam or feeling embarrassed or scared to admit to their mistake.
An article published by The Guardian last year, revealed that more than £1.3bn was stolen by scammers in 2021 through authorised push payment fraud (APP), of which 40% was BEC scams.
The article reports: “There were 461 CEO fraud cases last year, a jump of 29%, with losses increasing 165% to £12.7m.”
How does BEC work?
BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organisation and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.
Much of this information is freely available online, on sites like LinkedIn, Facebook, and organisations’ websites. Once the attacker has enough information, they can craft a convincing email designed to appear to come from a high-level executive or a business partner.
Consider your own LinkedIn profile, perhaps a scammer could write to you posing as your CEO, congratulating you once more for your promotion, asking how the networking event went last week, or acknowledging your recent certification. They could even imitate your CEO’s tone of voice by visiting their LinkedIn profile.
This initial email could be enough to convince you it’s legitimately them, and once you’ve responded, the scammer could then move on to send a more urgent email, requesting you make a payment or transfer funds. The email will usually emphasise the request being for an urgent and confidential matter, like a new business opportunity, a vendor payment, or a foreign tax payment.
The urgency of the request could impact your judgment and make you feel stressed, so you send the money without questioning the legitimacy of the email.
So how can you avoid BEC in your business?
Recommended by LinkedIn
We’ve put this one first for a reason. Cyber awareness training is the number one way to protect your organisation from cyber attacks. Your employees are the first-line of defence for your company, so it’s crucial they’re taught how to recognise and report suspicious online activity.
Training should be given to ALL employees at all levels, and should also include email account security
Every organisation should have email authentication protocols implemented, including:
These sound complicated, but they’re essentially to help verify the authenticity of the sender’s email address and reduce the risk of email spoofing. This will add another layer of security to your email inbox, blocking out a large portion of suspicious emails.
Deploy a Payment Verification Process
Deploying payment verification processes, such as two-factor authentication, will add another layer of security to your payment method. This means that if an employee does fall for a BEC scam, you might be able to prevent the payment from actually going through by having another person involved. Furthermore, the extra stage provides another opportunity for the sender to consider the legitimacy of the request.
Check Financial Transactions
Regularly checking financial transactions and bank statements is crucial for organisations. If the worst happens and money is sent to a fraudster, at least you will be able to identify the error immediately. There have been many cases where businesses haven’t noticed the scam for months, meaning it’s often too late to have any hopes of recovering the lost funds.
Like in any disaster recovery process, a response plan should be established for BEC incidents, including procedures to follow when reporting the incident, freezing the transfer, and notifying law enforcement.
Need help with email security solutions?
It only takes one small lapse of judgment for money to leave your account and become unrecoverable. Don’t leave your business emails unprotected. Reach out to our security team for further information and a complimentary cyber audit.