Business Email Commerce (BEC), also known as CEO Fraud, is a relatively new form of scam, providing fast results for hackers and creating maximum damage within your business. These emails are much harder to spot and end up costing millions in fraudulent transfers. They use social engineering tools to carefully select their next targets, impersonating key staff members or trusted partners to trick their victims into transferring funds online. If they’re successful, they’ve then got unrestricted access to a wealth of information that can lead to massive financial losses and embarrassment especially with the introduction of the new GDPR laws in May.
Hackers use tried and tested tricks that are highly successful in looking totally genuine and not raising any suspicions, encouraging their victims to act quickly and without a thought for verification.
Here are just some of them:
- Creating email addresses using domains that look very similar to the real thing
- Using urgent tones: “This needs to be done ASAP”
- Stating that the CEO is in a meeting and can’t be disturbed
- Using a well-known line such as “sent from my iPhone”, implying the sender is in a meeting or on the road
- Using legitimate looking account details, obtained from their social engineering tools
You may well be reading this thinking you’d never be so gullible as to fall for such a scam. But can you be sure every single member of your team would be so savvy? How about when it’s almost clocking off time, they’re tired, and “The Boss” emails them asking to transfer a small amount of money into a “client” account?
What if there’s nobody else around to ask and they don’t want to let the boss down or annoy them, especially when the email clearly states that they mustn’t be disturbed?
Hackers rely on “fear of management” psychology. They know that people want to be seen to be efficient and are unlikely to refuse to do something when specifically asked by their boss.
Small and medium sized companies are particularly attractive to cyber criminals because they typically have fewer defence mechanisms in place. After all, who would be interested in hacking them?
Well, sadly, hackers would be. Very interested.
Here are our tips on how to reduce your risk of falling victim to a BEC scam:
- It’s important to keep your wits about you, complacency is dangerous especially when it comes to email fraud. If anything looks even slightly suspicious, don’t touch it.
- 24/7 monitoring is the best way to keep you and our business safe from attack.
- Carefully developed software that looks out for unusual and unauthorised emails will always be more effective than humans scanning for potential issues
Educate your team
- It is essential that everyone with computer access is trained on email security and knows how to spot suspicious emails.
- Teach them to always question messages that ask them to act fast, especially if they mention anything to do with money.
- Make it a requirement that employees use strong passwords that can’t be easily guessed and are changed regularly. And never, ever share passwords.
- Click here to view our recent blog post on password security.
Keep it on lockdown
- Email encryption is one of the most reliable ways to protect your email content. It works by disguising the content of email messages to make them less attractive to unauthorised users.
- Encryption means that even if someone does gain access, they won’t be able to read any of the content without the correct security.
Update your policies
- Having two-factor or multi-level authentication policies for wire transfers can stop BEC attacks in their tracks, and it’s wise to insist that any payments are confirmed verbally by you first.
- Strong BYOD (Bring Your Own Device) and data protection policies are also essential for reducing the risk of data breaches.
- Click here to access our blog post on BYOD.
Invest in robust email security protection
- Protect your people, data and brand from common threats like phishing, impostor emails, malware, spam and bulk mail. The more layers of protection you have, the safer you’ll be.
- Robust email security software will analyse domain reputations, email content, headers and signatures and sender-recipient relationships to identify scams before they can reach your end users or do any damage.
- Email filtering can help you control all inbound and outbound communications. It quarantines spam, phishing emails and adult content, as well as helping you to prioritise the messages in your inbox.
Prevention is always better than cure, and with so many threats to your company’s security appearing on an almost daily basis email security is something you simply can’t afford not to take seriously.