A Key Cybersecurity Threat: Business Email Compromises (BEC)
A key cybersecurity threat for businesses is business email compromises (BEC). Since 2013, the FBI has been tracking this cybersecurity threat. These attacks are socially engineered by hackers who use compromised emails or spoof email addresses to try and trick employees into transferring money or other sensitive company information. Hackers use compromised email accounts to send more tailored phishing emails, initiate fraudulent wire transfers, move into HR/payroll portals, or steal additional information from email inboxes.
Rose & Kiernan, Inc. uses Beazley Breach Response (BBR) Services for a large number of our clients. In their 2019 Breach Briefing, Beazley reported a 133 percent increase in business email compromise incidents from 2017 to 2018. Financial institutions and the healthcare industry were overwhelmingly the most affected, making up 27 percent and 22 percent of all incidents respectively.
To prevent BEC, Beazley recommends the following steps:
- Provide anti-fraud training to all employees so that they learn how to detect and avoid phishing scams.
- Set up multi-factor authentication for remote access to email systems and applications.
- If you have employees who travel frequently and are authorized to request funds transfers, set up a process to confirm requests.
- Put a limit on the number of employees who are able to submit or approve wire transfers.
- When working with vendors or suppliers, they may request changes to their account details. If this is the case, remember the following:
- Contact the vendor directly to confirm all changes. Make sure that you use the original phone number that you have on file.
- Verify all changes in vendor payment location. For example, is the address or bank account different? If so – confirm directly with the vendor.
- Verify all changes in vendor payment practices. For example, were earlier invoices mailed and now emailed? Or did they require payment by check and now wire transfer? If so – confirm directly with the vendor.
- Look out for emails with extensions similar to the vendors emails. For example: firstname.lastname@example.org vs. johndoe@company_x.com.
- Run all requests by a supervisor or approver before making any changes.
Using these helpful hints and taking preventative measures are very important. However, cybersecurity insurance is also important (and recommended) should a security breach or cyber attack happen anyway. According to the FBI, business email compromise scams can result in companies or organizations losing up to billions of dollars. The cost of cyber protection depends on your industry or exposure, and it is a worthy investment to protect your business.