Don’t Become a Ransomware Statistic: Protect Your Business from BEC Scams Today

By: | June 17, 2023

Anthony Dolce is head of professional liability and cyber at The Hartford. He frequently speaks at cyber-related events around the country, authors thought leadership pieces and serves on several insurance industry groups.

Topics: Cyber | Cyber Risks

According to the FBI’s Internet Crime Report, business email compromise (BEC) is one of the most financially damaging online crimes. In 2022, there were nearly 22,000 related complaints, and businesses lost more than $2.7 billion to these scams.

Schemes can play out in several ways. For example, a scammer might take over or imitate an email from an executive or reach out to an employee on the finance team with an urgent request for a money transfer sent directly to the scammer’s account. Or a fake executive might ask an employee to buy and send them gift cards, which can be quickly cashed out or resold.

In some BEC schemes, the criminals attack from a different angle. For example, they could compromise a vendor’s email account and monitor the email account activity. After the vendor sends a legitimate invoice, the scammer quickly follows up as the vendor, apologizes for a mistake in the payment information and asks for the payment to be sent to a different account.

What Could Happen If a Business Is Targeted?

Criminals often conduct well-researched and coordinated attacks. For instance, the scammer might spend days learning about the company and monitoring its social media activity. They might even wait until the business is at a conference before springing into action.

They might pose as the business owner for example and send an email with an urgent wire transfer because a merger or acquisition was just made and there’s a need for the money right away. If an employee responds, the business might be out tens of thousands of dollars.

How Does Phishing Play a Role?

In most instances of BEC, as well as other cyberattacks, phishing plays a part in the fraud. However, even when phishing is not the leading cause of an attack, it’s often used by cybercriminals in preparation of the actual attack.

To protect themselves, businesses should be cyber risk aware. Training employees and implementing email security protocols can help prevent these types of attacks and reducing losses.

5 Ways to Help Protect a Business from BEC

Businesses can readily arm themselves against the threats of BEC scams by implementing the following strategies:

1) Establish an Electronic Funds Transfer (EFT) Policy

Employees should confirm that any emails requesting transactions like a direct deposit, or an electric funds transfer are legitimate. Employees can verify if these requests by calling the sender directly, whether that’s another employee, vendor, or supplier.

It’s also important that employees not contact the payee with any email address or phone number that is included in the electronic funds transfer request. This contact information can easily be fake and a part of the scam. Employees should always rely on contact information that comes from the business.

In addition, it is important to make sure employees can recognize red flags in scam emails such as look-alike or different reply-to addresses. Scammers might send an email from an address that looks very similar to the company’s email such as [email protected] instead of [email protected], or they can make the “from” address look exactly like the company’s, but the “reply-to” address is the scammer’s email account.

Another red flag is short messages that create a sense of urgency and a need for secrecy. The scammers could use a false pretense to ask for a quick response to an urgent request and keep recipients from asking others for advice. For example, the threat actor might ask an employee to buy 15 gift cards today and not tell anyone because they’re going to be a surprise thank you gift for the team tomorrow.

Businesses should also beware of unusual timing and requests for changing account information. The attack could start during off-hours or a holiday, which plays into the idea that it’s an urgent request and could keep the recipient from verifying details with others. It’s important to verify the request by phone using a number that’s not listed in the email.

2) Check the Real Sender Domain in Emails

Many BEC scams are often difficult to catch because they rely on a mixture of technological know-how and the psychological manipulation of someone. For example, an employee may receive an email that looks like it was sent from a known vendor with a link to download and pay an invoice. However, this link might open a malicious webpage or harmful content. In situations like this, employees need to verify that the sender is legitimate.

To verify an email, employees can hover over the email address and look at the domain that the email is coming from to make sure that it’s from a trusted source. This includes hovering over any embedded links within the email to see the URL. If it does not match with what is displayed in the email or the person or company that’s sending the email, it’s likely phishing.

3) Protect Email Domain and Authenticate Emails

Email security protocols can help prevent phishing attacks by providing proof that an email is legitimate. The Sender Policy Framework (SPF) restricts who can use an organization’s email domain, while DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication ensure that the content of an email hasn’t been altered. Reporting and Conformance (DMARC) ties SPF and DKIM together and provides instructions about what to do with an unauthenticated email.

4) Use Multi-Factor Authentication to Avoid Phishing Attacks

If a phishing attack is successful in stealing user access information, multi-factor authentication can help prevent the attacker from gaining access to the computer systems. With multi-factor authentication, there’s a greater need for more information or details in addition to login credentials.

5) Create a Phishing Training and Awareness Program

Training is the best way to prevent a BEC attack and should include education on the definition of phishing attacks with examples, regular testing of employees’ knowledge, as well as resources and information on what employees should do if they think they’ve fallen for a phishing attempt.

What to Do If the Company Falls Victim to a BEC attack?

After a BEC attack, the business should immediately contact the financial institution to see if it can reverse the transfers or payments.

Companies can also work with their IT team to make sure devices and accounts are secure, which may involve changing passwords and updating security measures.

Additionally, the business should report the incident to the FBI’s Internet Crime Complaint Center and include as many details as possible because the report can help the FBI track and stop these types of crimes.

Look to Insurance Carriers for Incident Response Planning Assistance

Cyber insurance should be an important part of any company’s incident response plan with a holistic approach that provides coverages encompassing data breach, ransomware, and business interruption.

Threats to cybersecurity should also be taken seriously for the safety, security and stability of business operations and industry success. Organizations can look to their insurance carriers to provide critical cyber hygiene education.

Companies must prepare and have tactics ready to go in case of an incident because it is likely that any business can be attacked. &

More from Risk & Insurance