How can you prevent business email attacks? Is training enough? We'll walk you through solutions and tips to protect your enterprise email from these attacks.
Why is business email compromise such a problem?
Business email compromise (BEC) attacks are sophisticated scams that target specific individuals with believable emails asking for funds to be transferred. These attacks can cost a company thousands, if not millions, of dollars a year.
Why BEC Attacks Are So Dangerous
While ransomware attacks make it on the nightly news, BEC goes largely unnoticed in the mainstream media. But according to a recent FBI report, Business Email Compromise (BEC) crimes were the most financially devastating type of cyberattack, accounting for nearly $1.8 billion in losses.
These types of attacks are successful because they specifically target companies that deal regularly with international wire transfers in large sums. Unlike random phishing attempts that send out indiscriminate messages, BEC scams are highly targeted making them considerably more dangerous.
Business Email Compromise Examples
BEC attacks leverage a combination of phishing and social engineering tactics to trick authorized staff into wiring money to the scammer. These targeted attacks often take considerable time to plan and can be tough to spot to the untrained eye.
BEC scams can take many different forms, making them difficult to consistently identify. Let’s take a look at six of the most common types of BEC fraud.
Fake Invoice
Scammers send a fake invoice pretending to be a trusted vendor or partner. They often use lookalike domains to closely resemble a known vendor of the target company. The fake invoice contains incorrect account information resulting in funds being routed to the attacker.
In some cases, the invoice can also contain a keylogger, where the attacker will steal financial information by leveraging spyware if the initial scam fails.
Fake Account Update
Attackers use phishing messages pretending to be a known partner of a third-party vendor with the company. These crimes are usually directed towards the accounting department or human resources.
The victim believes this to be the real person and updates their banking information to the attacker's account. This tactic is also used to impersonate employees, where the attacker contacts the HR department and requests that their direct deposit information is updated to the attackers’ account.
Transaction Attacks
Scammers can exploit insecure email communications to “listen” in on messages pertaining to large transactions, typically in the legal or real estate industry. They leverage this collected information and message the victim from a spoofed address claiming that the account details need to be updated.
This fraud usually happens right before a transaction is going to take place and occurs towards the end of the day. The scammer will often send the fraudulent request from an account that looks similar to the legitimate payee’s account.
Gift Card Scams
Fraudsters use whaling techniques to impersonate a CEO or high-level executive within an organization, and pressure other staff members to purchase gift cards. These scams usually claim the gift cards are for employee rewards, parties, or raffles.
The attacker asks the victim to read them the number on the back of the card, so they can sell those cards online in exchange for cash or cryptocurrency. Gift card scams can occur via email but have increasingly become more common via text message.
Advanced Payment Scam
After studying the target company, attackers will impersonate a known vendor and request advanced payment on a service or goods that were previously not required. The attacker may use fake quotes, invoices, or other documents to support their payment request.
Accounts Receivable Scam
This attack impersonates a high-level staff member within the organization and makes an internal request for old account receivable reports. Once the attacker has these reports, they use this information to attempt to collect the debt owed through another phishing scam.
How to Prevent a BEC Attack
The best way to combat BEC is to prevent them in the first place. Here are a few of the best ways to protect yourself from these scams.
Implement DMARC Protection
Using DMARC authentication for your domain drastically reduces your organizations’ exposure to phishing messages, spoofing attempts, and fraud. DMARC is completely free to set up and helps validate your messages while protecting your business against impersonation.
DMARC uses two components to protect your domain. First, an SPF record is used to help others know what server your email should be coming from. Second, DKIM email authentication validates your messages to combat spoofing attempts.
Use Internal Account Controls
Internal policies and procedures can drastically reduce the risk of BEC, especially when dealing with wire fraud. Review or create procedures for staff members before they move money, change account details, or send sensitive information.
Deploy Phishing Training
Phishing campaigns can help train all staff to identify suspicious messages by sending “test” phishing messages to their inbox. This strategy combined with continuous education can help reduce the risk of BEC while improving the overall security posture of the company.
Flag Emails as External
Email administrators can create a rule on their mail server that tags emails as external. This helps staff easily identify when a message is coming from somewhere outside of their organization, without having to study the “From” field.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) can help add an additional layer of email protection to your organization. MFA works by only allowing authentication when a secondary device is used in conjunction with a username and password. This helps prevent fraud even when credentials are stolen.
How to Report Business Email Compromise
If you believe you are the victim of a BEC scam, contact your bank or provider immediately to prevent further compromise. Contact your IT administrator with details of the message. Quickly contacting your IT department can help them prevent future compromise in the organization.
If you have been sent a fraudulent message, there are a few simple steps you can take to report BEC.
- Forward the message directly to the FTC at [email protected]. If the message was a text, you can forward it to SPAM (7726).
- Report the attack by visiting http://ftc.gov/complaint. Reporting BEC helps the FTC stop future fraud and accurately forecast threat trends.
The Agari Advantage
Agari offers a proactive solution to combat email threats using DMARC and advanced phishing protection. The system utilizes both signature-based security as well as behavioral analysis to stop both malicious files, and phishing attempts at the same time.
Predictive analytics identifies new threat trends as they emerge by proactively scanning trillions of messages. As new threat patterns are identified, they are automatically applied to your threat database, ensuring even the newest types of attacks are thwarted.
No matter where your email is hosted, Agari offers a wide variety of integrations into platforms like Office 365, Microsoft Exchange, and Gmail. Setup is simple and doesn’t require any downtime, meaning no missed emails during onboarding.
If you’re looking to protect your company from email-based attacks, Agari’s Advanced Email Security can help. Sign up for a free trial to see the difference Agari can make in your inbox.