Business Email Compromise: The Ins and Outs
7 October 2019
According to AIG – one of the world’s leading global insurance organisations – ‘business email compromise’ (BEC) has overtaken data breaches and ransomware as the main trigger of AIG cyber claims in Europe, the Middle East and Africa. In 2018, BEC accounted for nearly a quarter of reported incidents, up significantly from 11% in 2017.
So What Exactly is Business Email Compromise?
BEC, sometimes known as ‘CEO fraud’, is an exploit in which a hacker gains access to or impersonates a corporate email account. The aim is to spoof the account-holder’s identity in order to defraud the company, its employees, partners or customers of money. Attackers often target industries such as professional, business and financial services.
Examples of BEC
There are various ways in which BEC is used to defraud businesses and their stakeholders. Here are just a few:
- A hacker could pretend to be a chief executive, and request that a finance department/HR employer make an emergency payment.
- A cyber-criminal might choose to target email accounts of staff who are responsible for billing clients. The hacker then sends a fake invoice to these clients using the staff member’s name.
- A lawyer’s email could be used to trick both individuals and businesses into sending money quickly. The hacker could claim that immediate payments are required in order to resolve confidential and time-sensitive matters.
What To Look Out For
Monday Warning: Often, hackers will send scam emails on Monday mornings. Why? They hope to take advantage of Monday morning fatigue—a time where employees are more likely to be conned by fake emails. With that in mind, it is particularly important to be aware of any unusual emails at the start of the week.
Newbie Targeting: Cyber-criminals often target new or junior employees because they are less likely to be aware of the official procedures for large transfers. Juniors are also more likely to transfer the money without hesitation, as they don’t want to go against their manager’s instructions.
Fake Email Threads: Attackers usually start the subject line of their emails with “Fwd:” or “Re:” to make it seem like the email hasn’t appeared out of the blue. They might go even further by including a bogus email history to make the victim believe the request is legitimate. Apparently this sophisticated threat is on the rise, so it is worth being aware of.
How to Prevent It Happening to Your Business
Here are some ways to prevent BEC affecting your business:
- Although finance teams should have in-depth knowledge about this type of fraud, it is important that all staff are made aware.
- If you are managing financial transactions, you should always look out for errors and inconsistencies. Misspellings, unusual font types and a different style of writing are all things that you should question and escalate.
- Make sure to have a system in place which allows employees to verify contact from senior staff members. A good idea would be to have two points of contact for each senior member of the team. You could then double-check the legitimacy of a request by receiving confirmation from two email accounts, or one email account and a phone number.
- Ensure that your computer systems are fully-secure, and installed with the latest anti-virus software. Here at ICT Solutions, we offer bespoke cyber security packages for businesses all over Liverpool, Merseyside and the rest of the UK. One of our main offerings is anti-spam software, which is designed to intercept emails from hackers and cyber-criminals.
Keep Your Business Safe with ICT Solutions
We hope this article has shed some light on business email compromise. As well as cyber security, we also offer connectivity, cloud and physical security services that are designed to keep your business secure. If you’d like to find out more, contact ICT Solutions today and a member of our experienced team will be in touch shortly.