Updated: Oct 30, 2019
Business Email Compromise (BEC) is an enormous threat. Phishing, spear-phishing, CEO fraud, payroll fraud, legal impersonation are examples of different forms of BEC. The FBI estimated the loss of over $1.2 billion through BEC in 2018.
The bad actors play by no rules. They're very good at disguising their malicious attacks and relentless in their pursuit. It's frustrating when you're not sure where the attacks will come from and if you're exposed by any potential blind-spots.
When it comes to BEC everyone is a target. It's important to build security awareness into your organization. You can start with a few basics that are inexpensive. Some of these solutions offer a free version for individual use. You can also learn more about how to recognize a phishing attack in our previous blog post entitled How to Avoid Being A Victim of Phishing.
Here are a few basic strategies to help protect yourself, your employees and your business from these malicious BEC attacks:
1. Enable Two-Factor Authentication (2FA) such as Okta, Duo, Google, SecureAuth etc. This is an extra step, but it is a very effective way of forcing a secondary form of user authentication usually via text message.
2. Create an email rule to add a prefix (such as "Ext") to external emails (originate outside your domain). This provides a visual aid to help you recognize any slightly altered email addresses (a common tactic used by bad actors).
3. Establish internal controls to authorize any payment and/or account change requests received by email (i.e. wire transfer, vendor bank account change, direct deposit change etc.). Don't assume an email payment request is legit. Establish and follow a secondary authorization process to verify the request.
4. Dont reuse passwords. Use a password management tool such as Dashlane, 1Password etc. to help you generate and remember secure passwords. Reusing
passwords puts you at greatest risk for a bad actor to hack your email and disguise themselves.
BEC is the #1 source of cyber attacks because it works. Over 80% of cyber attacks originate from email. Protect yourself and your employees. Learn how to recognize phishing attacks and how to develop effective security practices.