A Business Email Compromise (BEC) attack starts with a hacker using spoofed email accounts to effectively impersonate a firm’s CEO or managers. After penetrating email filters and reaching their recipient, the hacker will make what appears to be a legitimate request for a business-related payment.
The email will appear to be authentic and will look like it originates from a trusted figure of authority in the company, encouraging staff members to comply with the request. In many cases, the cybercriminal will ask for funds to be either transferred or for a check deposit, depending on the practice commonly used by the firm, to avoid raising suspicion. Today, however, this scam has been adapted to acquire not just money, but to steal sensitive data like an employee’s personal information or company credentials.
How can a BEC attack be stopped?
While it’s true that many BEC attacks employ detectable malware, far more use insidious social engineering tactics, which spam filters, email whitelists and anti-malware products prove ineffective against. Experts agree that the most efficient forms of defence against BEC attacks are to educate personnel and establish internal processes for prevention. This is especially important for any frontline employees, who will likely be the first point of contact to phishing forays.
Measures to mitigate BEC attacks
Avoid the use of free email accounts that are web-based. Instead, set up a company domain name and only use it when creating company addresses. All of these accounts should benefit from multi-factor authentication for security. This enhanced authentication process demands multiple instances of information to access accounts, including passwords, pin codes and even biometric data. Enabling this extra level of security will ensure your employees’ accounts are far harder to access, decreasing the chances of a successful BEC attack against your company.
Emails that arrive from unknown senders should not be opened. If they are, users should be educated to never click on included links or open up any attachments, as these tend to be loaded with malware capable of accessing your enterprise network and devices.
Make sure your domain is secure. Spoofed domains employ barely noticeable variations on authentic email addresses to fool BEC targets. Spoofed emails are often at the heart of BEC attack strategies, so register any domain names that closely resemble that of your firm for extra protection.
Instead of replying to a business email, use the “forward” option instead. By forwarding messages, the accurate address must be typed manually or selected from the account address book, making sure that you only ever use the correct address.
Train your staff to be mindful of what they post online, whether it’s on your company website or on a social media platform. Specific areas of concern that can be used in BEC attacks are job roles and duties, out-of-office information and hierarchal details.
Employ powerful protection
At Galaxkey, we have developed a secure workspace that enables your team to email under the protection of powerful encryption and a robust set of security tools. Contact us today for a free, 14-day trial and avoid unnecessary risks from BEC attacks.