- Protect your company by implementing operational processes to manage payment controls
- Train employees across functions to recognize BEC threats
Steps you can take to defend against BEC
More than any other cyber crime, business email compromise (BEC) relies upon exploiting people’s willingness to trust. As millions of us find ourselves in remote or altered working environments, cyber criminals are crafting new ways to take advantage of distracted, busy employees. But you can protect your business by following best practices.
BEC is an increasingly sophisticated crime
Successful BEC scams rely on understanding and exploiting the psychology that motivates a person, and this matters almost as much as the technology used. As BEC becomes more widespread, the methods cyber criminals use are growing more nuanced and convincing.
How are criminals making BEC scams more effective?
Taking more care researching their targets
Using a wider range of information sources to create convincing email lures, getting data from:
- Securities and Exchange Commission financial documents to find patterns in a target’s business transactions.
- LinkedIn profiles and other social media sites.
- Open-source news.
- Purchased databases of stolen credentials or other compromised data.
Expanding the threat model
- Expanding targets beyond financial gatekeepers like CEOs and CFOs to multiple business functions.
- Using social engineering to get information that allows criminals to impersonate trusted vendors or supply-chain partners.
- Targeting specific industries like real estate and financial companies that handle escrow and mortgage payments.
Crafting a better message
- Polishing writing skills and improving grammar.
- Spending time in compromised accounts to learn process, writing styles and business details to make fraudulent emails more difficult to spot.
Best practices to help protect against BEC
It’s taking longer for companies to detect BEC and social engineering incidents, which gives criminals more time to harvest company information and gain access to funds. Taking steps to protect yourself upfront is a smart move.
Implement a process
- Review the procedures for updating account and payment information.
- Approve requests to make payments or change account information through a different channel than the original inquiry.
- Don’t rely on email internally; pick up the phone and contact the appropriate person to verify or question changes to payment instructions.
- Segregate duties for accounts and payments. Require dual approval for any change to account or payment instructions; the procedure should not be any different from the dual-approval process already in place.
- Determine your risk tolerance, and set up payment alerts for larger payments.
- Create and maintain a list of contacts and account information.
- Ask employees with payment-making responsibilities to limit what they post on social media sites.
- Develop a step-by-step response plan for BEC attempts.
Source: Symantec, BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly, July 23, 2019.
Keep employees current
- Train employees across functions to recognize BEC threats and techniques.
- Provide more in-depth training for employees who are most likely to be targeted, like CEOs, CFOs (and their assistants), finance department, HR and payroll staff.
Use the latest technology
- Use email filtering technologies that analyze incoming messages for suspicious content.
- BEC attempts often target mobile or on-the-go employees, so protect mobile technology.