Business Email Compromise is an emerging type of sophisticated phishing attack. It involves a hacker gaining access to a high-level account within an organization, then using this access to defraud other members of the business.
These types of threats are growing in popularity. Hackers have access to a wealth of company information they could have only dreamed of in the past. With LinkedIn and other social media websites, it’s easy for hackers to find the business, and even personal, email addresses of high-level employees of a company.
Once a hacker has this information, they will get to work on getting access to the account. They could impersonate someone from IT, telling them it’s time to change their password. Or maybe impersonating Apple, asking for their iCloud login. If they’re lucky, they will get access to the account.
Once they do, sophisticated hackers play the waiting game. They will start to reach out, maybe to businesses that the person that they’re impersonating has a past relationship with. They will start to build a rapport, to gain trust. Hackers will do everything in their power to remain undetected while at work.
But then will come the killer email. The request for money. The invoice sent. Since a relationship has been built, the victim is a lot more likely to authorise payment and not think twice.
Why has Business Email Compromise become so popular now?
As discussed, the rise of social media has given companies access to a lot more information about company executives. Looking at LinkedIn gives hackers access to a lot of information. They can easily find out who the top level employees of a company are- and who they regularly speak to. Email addresses are public information, but hackers can also see the way you communicate.
This is invaluable because it means that they can impersonate someone down to the way they type. This makes it even easier to fall for Business Email Compromise attacks.
It’s also easier for hackers to find other contact information like phone numbers. Personally, I don’t often mistrust people I speak to on the phone at work, and this is a great way for hackers to gain access to a company. A sophisticated hacker will find an office phone number online and tell whoever answers they have an invoice they will send over via email.
That small action can convince a lot of people that the invoice is genuine. It also neatly bypasses most of the email security technology a company may have.
How damaging can Business Email Compromise attacks be for businesses?
According to the FBI, Business Email Compromise attacks have cost businesses $12.5 billion in reported losses since 2013. That’s a huge amount of money, which will likely never be recovered.
This is because it’s so easy for attackers to hide money and move it overseas with cryptocurrencies like Bitcoin.
There’s a clear financial risk to falling for Business Email Compromise attacks. But there’s also a risk of a data breach which puts both customer and employee data at risk.
With strict data regulations across the world, data loss is hugely expensive, as well as damaging to your brand.
What can you do to protect yourself against Business Email Compromise attacks?
A recent report argued that the sharp rise in Business Email Compromise attacks means that companies need multi-layered email security.
Traditional Email Security gateways can block some malicious email attacks. This is particularly true if they offer features like Intrusion Detection. This highlights if an email address is impersonating a legitimate company email address.
You can read Expert Insights reviews of the top Email Secure Gateways here.
Admins can help to stop Business Email Compromise by enforcing two-factor authentications on payments. They can also set email rules which flag when the ‘reply’ email address is different to the ‘from’ email address.
However, these measures will only go so far in protecting your company against attack. To fully protect your business against Business Email Compromise we’d suggest implementing these platforms:
Security Awareness Training
Security Awareness Training vendors offer testing and training for employees. This is a great way for you to protect your organization against Business Email Compromise as well as other threats.
It allows the employees at your organization to be more aware of security threats. This means they are more likely to spot Business Email Compromise scams in action, or at least be more willing to report suspect behaviours.
It’s important that everyone in an organization has Security Awareness Training, especially managers. They are most at risk of attack.
You can read Expert Insights reviews of the top Security Awareness Training platforms here.
If you want the best technology to stop Business Email Compromise scams, many would argue that you are looking for Post-Delivery Protection.
These platforms are powered by Artificial Intelligence and scan your inbox in real time, looking for threats. By getting to know your inbox, these platforms can spot when an incoming email is abnormal. They then let you know not to trust it.
These platforms are the best technological defences against Business Email Compromise attacks which prey on human error. They are ideal if you need the best protection against Business Email Compromise.
You can read Expert Insights reviews of the top Post-Delivery Protection Platforms here.