Business email compromise (BEC) is one of many types of spear phishing that has a greater odds of success given that the threat actors behind them impersonate someone the victim knows and trusts. Examples of such individuals include:
- Their manager
- An acquainted third-party vendor associate
- Even the CEO of their organisation
Hackers run BEC scams to steal business credentials, personal information, and finances. Nowadays, they also often seek cryptocurrency due to the speed and anonymity of such transactions. They first set the target at ease before they bring up an urgent request, typically asking for sensitive business information, and insist that it be sent to them immediately lest there be consequences or legal impact to the organisation.
Some of the most tactics they commonly use with BEC include:
Using legitimate emails
Compromising genuine email accounts grants attackers a greater chance of success in their BEC scam and lets them send messages without being wary of detection.
Spear phishing
This highly-targeted cyber-attack begins with fully researching the individual or company along with its employees, leadership, and associated vendors. Next, the attackers come up with a message that looks like it comes from a trusted source to persuade the target of unwittingly divulging confidential information.
How BEC Has Evolved Over the Years
In recent years, BEC scams have been the go-to attack for hackers, as is evident in the 175% increase in attacks in just the last two years. There are several causes behind this rise, namely:
Greater information accessibility
Thanks to online platforms like LinkedIn and social networking sites, researching companies and their employees is easier than ever. Social engineers leverage information gathered there and on the organisation’s official website to develop scams that target specific employees.
Remote work
BEC scammers quickly took advantage of the many opportunities in the widespread adoption of remote work, where employees mainly relied on email for communications. This arrangement made it easier to trick targets into disclosing sensitive information as well as infiltrating unsecured virtual meetings to eavesdrop and collect information.
It is an effective and lucrative attack
Criminals would not bother with BEC scams if they weren’t so effective and profitable. So far, these attacks have resulted in losses amounting to billions of dollars.
Steps to Avoid Business Email Compromise Scams
Although receiving business-related spear phishing emails is unavoidable, there are preventative measures that organisations can adopt to greatly strengthen their defences.
Train your employees
BEC scam messages may be highly realistic and believable, but they all have a few things in common. Most importantly, they are urgent requests for confidential information to be sent outside of normal channels.
As such, training employees to take a pause whenever they receive an email asking for critical information or a transfer of funds, regardless of how legitimate the sender or contents may be. They should then verify with the sender directly through other means besides email. Regularly conduct tests to see if employees can put their training into practice and warn them to be mindful of what they post on social media since hackers can collect so much information about what they share online.
Secure your inboxes
Cybersecurity training is no doubt essential, but it is not enough. For improved protection, it is recommended to secure your corporate inboxes. After all, employees cannot be scammed if they do not receive malicious emails in the first place. Advanced email security solutions in Singapore today can help detect and intercept suspicious emails before they appear in your teams’ inboxes. Following the best practice of incorporating multi-factor authentication (MFA) also significantly helps keep intruders from compromising legitimate business email accounts.
Stay up to date on recent attack trends
Knowledge is power, and learning about the types of BEC scams that will likely be used against your employees helps you better prepare and avoid them. Be proactive in BEC attacks in your industry and in general, and incorporate the advice and information from security experts to improve your cybersecurity strategy.
Conclusion
Email continues to be an effective attack vector for hackers today and into the future. Therefore, it is important to stay updated on how attacks using the medium evolve along with the risk it poses so you can better bolster your cybersecurity posture accordingly.
If your organisation needs top-of-the-line email security services to protect against BEC scams and other email-based attacks, TYPENT has what you need. As a leading IT outsource company in Singapore, we provide a selection of key IT products like the enterprise-class TrendMicro Email Security gateway solution designed for email threats like BEC scams, spam, ransomware, phishing, and more. In addition, we also specialise in managed IT services, including network support services, server virtualisation, and Windows server migration.
Don’t hesitate to contact us today for more details about our products and services.