How Exactly Does Business Email Compromise Work?

iQuanti: Have you ever received a rather strange email from your CEO? Perhaps the email asked you to transfer money to a vendor that the company has worked with in the past? Or to provide gift cards to a local charity? 

At face value, you may not question it. Clearly, these are names you have heard of before so what is the harm in helping your fearless leader out? 

Well, this is a prime example of business email compromise (BEC), and it is more common than you think. 

What is business email compromise? 

Business email compromise is when cyberattackers create emails impersonating a senior executive of the company or one of its business partners to steal money. 

Sometimes, it involves the compromise of a legitimate business email account. However, it is often accomplished through social engineering and if you take a closer look at the email, you may be able to tell that it is indeed a fraud. 

In another type of BEC attack, bad actors intercept emails from third parties, such as suppliers, and substitute their own account numbers to gain access to your funds.

These scam emails can be harder to distinguish since attackers tend to use this technique right after you were having an email conversation with a supplier. 

How can you avoid falling into the attacker's trap? 

You can protect your information by understanding the cyberattacker's mindset and taking concrete steps. 

These types of attacks target distracted, busy employees and unfortunately, remote work has increased the risk of falling prey to these scams. With an increase in email usage and virtual communication, it is easy to overlook additional letters or punctuation marks added to domains or emails. 

There are a few steps you can take to protect yourself and the organization: 

Establish company-wide protocol 

Educate your employees about cybersecurity. You can provide training materials, allow employees to ask questions, and make sure they know who to contact if BEC affects them. 

Particularly for transactions, it is imperative company employees know how to properly handle email requests. Simple knowledge lessens the chance of compromise. 

Consider two-factor or multi-factor identification 

Two-factor or multi-factor tools require users to verify their identity through several steps, such as receiving a text. These tools can prevent scammers from accessing email addresses and other information that can allow them to scam employees. 

Slow down 

The best defense against BEC is attention to detail. When you notice an email that appears to be off the tone or nature of requests, it is worth analyzing before responding or downloading any attachments. 

Any repeated text in the email or if it was sent at an odd time can also indicate a scam. If your coworker usually works on EST, you might be wary of a strange email sent at 3 a.m. their time. 

In summary 

Business email compromise is common and can fool even the best of us. Trust your gut feeling when you see an email that looks a little off. It is better to be cautious than get your information stolen. 

Source: iQuanti, Inc.