What are Business Email Compromise (BEC) Scams and How to Prevent Them?

• Research and Identity Theft: Scammers meticulously research their targets, gathering information to impersonate key personnel. They might create fake websites or even register companies with the same name as the target in another country.
• Email Monitoring: Once they gain access to the target’s email system, scammers monitor communications to understand who handles financial transactions. They study conversation patterns and examine invoices.
• Gaining Trust: The scammer then builds trust with the target, often through seemingly innocuous emails, gradually asking for money, gift cards, or sensitive information.
• Spoofing and Impersonation:During the email exchange, the scammer impersonates a legitimate party by spoofing the email domain. The email address might be slightly altered (e.g., chris@contoso.com vs. chris@contosso.com) or appear as the correct address but sent via a different domain (e.g., chris@contoso.com via fabrikam.com).

• Executives and Leaders: Details about them are often publicly available on company websites, making it easier for attackers to impersonate them.
• Finance Employees: Controllers and accounts payable staff have access to banking details, payment methods, and account numbers.
• HR Managers: They handle sensitive employee records like social security numbers, tax statements, contact information, and schedules.
• New or Entry-Level Employees: They might not be able to verify the legitimacy of an email with the sender.

• CEO Fraud: Attackers impersonate the CEO or other high-ranking executives, instructing employees, typically in the finance department, to transfer funds to a fraudulent account.
• Account Compromise: The attacker gains access to an employee’s email account and uses it to request invoice payments to fraudulent bank accounts. This type often involves monitoring the email account for a period to understand the company’s billing practices.
• Attorney Impersonation: Scammers pose as legal representatives or law firms, often during critical transactions that require urgency and confidentiality, convincing employees to transfer funds or disclose sensitive information.
• Data Theft: Attackers target HR departments to obtain personal information about employees or executives, such as social security numbers and tax statements, which can be used for identity theft or future attacks.
• Invoice Fraud: Attackers compromise a vendor’s email and then send fake invoices to clients. The clients, believing the invoices are legitimate, make payments to fraudulent accounts.

Use a Secure Email solution:

Implementing a secure email solution is crucial in defending against BEC scams. Secure email apps like Office 365 and Google Workspace automatically flag and delete suspicious emails, alerting you if the sender isn’t verified. These solutions allow you to block certain senders and report emails as spam.

Additionally, they provide advanced Business Email Compromise prevention features such as phishing protection, suspicious forwarding detection, and AI-driven threat analysis. Other tools like Mimecast and Proofpoint offer comprehensive email security by filtering out malicious content, ensuring email integrity, and providing real-time threat intelligence to stay ahead of emerging BEC tactics.

Set Up Multi-Factor Authentication (MFA)

Enhance your email security by enabling multi-factor authentication (MFA). MFA adds an extra layer of protection by requiring a second form of verification, such as a code, PIN, or fingerprint, in addition to your password.

This makes it significantly more difficult for attackers to gain access to your email account, even if they manage to obtain your password. By implementing MFA, you ensure that only authorized users can access sensitive information, thereby reducing the risk of BEC scams.

Use Email Authentication Tools

Business Email Compromise tools make your email harder to spoof by implementing email authentication protocols. Using tools like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), you can verify the legitimacy of email senders.

SPF helps prevent spammers from sending messages on behalf of your domain, DKIM adds a digital signature to emails to ensure they haven’t been altered, and DMARC ties the first two together, allowing you to receive reports about suspicious emails. By deploying these authentication tools, you significantly reduce the chances of attackers successfully impersonating your email domain.

Adopt a Secure Payment Platform

Consider enhancing your payment security by switching from emailed invoices to a system specifically designed to authenticate payments. Secure payment platforms offer robust verification processes and encryption to ensure that transactions are legitimate and secure.

These platforms can reduce the risk of fraudulent transactions by providing features such as real-time payment tracking, multi-factor authentication for payment approvals, and secure communication channels. By adopting a dedicated payment platform, you protect your business from BEC scams and ensure that all financial transactions are handled securely.

• Financial losses ranging from hundreds of thousands to millions of dollars.
• Widespread identity theft if personally identifiable information is stolen.
• Unintentional leaks of confidential data, such as intellectual property.