As cyberattacks have evolved through the years, attackers have recognized that employees are the weakest link in the security chain, especially in the fast-paced world of modern, always-online enterprises. This has made every business susceptible to business email compromise (BEC) scams and other phishing scams. Email security is nothing to scoff at and can be a very costly oversight if not already integrated into an organization’s overall IT security systems. It’s never too late to have one implemented, though, and the more you postpone it, the longer you put your systems at risk.

Today’s unpredictable business landscape and the shift to remote and hybrid work have led to an increase in the incidence of data breaches, and 96% of them are done via email. As such, network and email security have never been more important than now. Checking your network security regularly is recommended using the available network security assessment tools. Knowing what threats to watch out for is also vital because there are several—and they vary in type and complexity.

Types of Business Email Compromise Attacks

Recently, four members of a business email conspiracy and credit card fraud ring were arrested in the US for conspiracy to commit wire fraud and bank fraud, money laundering, engaging in a conspiracy to commit wire fraud and money laundering, as well as aggravated identity theft. The group allegedly obtained over $5 million via business email compromise efforts.

This incident further proves how serious a threat BEC is. To help in its detection, you must know first the primary types of attacks.

CEO Fraud

This method relies on the authority figures of an organization, specifically the CEO or someone in charge, to encourage compliance. This method typically comes with specific instructions like sending money to a specific account or making a payment to a fraudulent vendor. It may also involve providing sensitive information in the guise of “closing a deal.” The key is encouraging unsuspecting users to act now by providing a false sense of urgency. Since the employee thinks the email is coming from the CEO or a superior, he or she is compelled to respond or take action to avoid negative consequences.

Attorney Impersonation

This specific method targets low-level employees because they are the most prone to comply with requests seemingly made by an organization’s legal department. Requests from a legal representative or company lawyer are often time-sensitive and employees usually don’t know how to validate them. Verification is also discouraged via claims of urgency and confidentiality.

False Invoice Scam

In this method, cyberattackers impersonate one of the company’s vendors and request payment for services or products provided. A fake invoice is often used to make the transaction seem legitimate. Cyber attackers have ways of duplicating a vendor template so that it looks real, with only the bank details or account information replaced by one that’s controlled by the attackers.

Account Compromise

Account compromise attacks seem the most legitimate among all these methods because it uses a compromised company email account. Using this account, cyberattackers can request invoice changes and request payments from the company. They can also request access to company systems and sensitive data that they can then use against the company.

Data Theft

Aside from the obvious goal of stealing money, BEC attacks are also designed to steal trade secrets and other sensitive information. They can target finance personnel and HR departments in an attempt to steal financial and personal information from employees. The gathered data can then be sold or saved for use in future attacks.

How to Protect Yourself From Business Email Compromise Attacks

BEC attacks, if successful, can be one of the most costly security missteps of a company. Fortunately, considering basic email security precautions can help in curbing these attacks and improving the overall health of data security systems. Below are a few things your organization should implement if they aren’t already in place.

• Educating employees
  Since most attacks are targeted toward an organization’s employees, they must be made aware of these threats and how they can help in detecting and fighting them. Regular cybersecurity training sessions are recommended to keep employees updated so they are prepared in case there are major security incidents.

• Labeling emails
  Since attacks try to impersonate internal email addresses, setting up email software to label emails coming from an outside domain can help detect BEC and phishing scams. 

• Clearly defining duties
  Giving employees specific duties and enumerating tasks they can or can’t do will help curb the damage of an attack. Implementing policies that regulate payments and money transfers requiring verification from a second employee or specific individual will help significantly reduce the success rate of cyberattacks.

• Using anti-phishing solutions
  BEC attacks are a type of phishing, which is why having anti-phishing software integrated into your security systems is recommended. There are BEC red flags that often can’t be detected by users, but software solutions powered by machine learning and AI will help automate the detection of and protection from suspicious emails and potential attacks.

Advanced BEC attacks don’t contain malicious links or harmful attachments and are formatted to look similar to a typical company email. Some cyber attackers even go so far as the copying tone of voice and company style guides to make email messages look more authentic. If successful, they can then request payments, passwords, access to sensitive data, and even personal and financial details. As attacks evolve, your security systems and employee knowledge should also evolve. This ensures that both your security systems and employees are updated and protected.