4 Ways to Protect against Business Email Compromise

4 Ways to Protect against Business Email Compromise

  • Article

This post is part of a series sponsored by InsurBanc.

You hear about the high profile cyberattacks and risks in the news. The others you don’t hear about are worrisome. Cybercriminals target not only consumers and large corporations, but small to medium-sized businesses as well. A new report from IT security company Barracuda shows that small businesses are three times more likely to be targeted. The Small Business Administration explains why:

“Small businesses are especially attractive targets because they have information that cybercriminals (bad actors, foreign governments, etc.) want, and they typically lack the security infrastructure of larger businesses to adequately protect their digital systems for storing, accessing, and disseminating data and information.”

In 2021, the FBI’s Internet Crime Complaint Center received 19,954 business email compromise (BEC) complaints with an adjusted loss of $2.4 billion. A BEC is a type of phishing attack that involves criminals impersonating an employee or executive at an organization or trusted vendor, such as your bank, in order to gain access to funds or sensitive information by creating targeted messages. These emails look authentic and seem to come from a known, trustworthy entity.

Here are four ways to protect your firm:

1. Voice verify

Voice verify any fund requests, requests for sensitive data, and requests for vendor payment or invoice changes ― no matter who they come from. Scams include asking for a funds transfer, stating payment has failed and asking for credit card information or something as simple as asking to change a vendor’s payee or remittance information. The simplest and most effective way to validate is to pick up the phone and verify.

2. Recognize red flags

Learn to recognize the warnings. Carefully analyze hyperlinks and the sender’s email address for inconsistencies. The scam could appear to come from the email address of a trusted client, vendor, company executive or even the CEO. Clicking on hyperlinks can take you to a fraudulent URL, where the cybercriminal intends to either gain access to private information ― such as usernames and passwords ― or infect your computer and network with malicious malware. Misspellings or poor grammar and a sense of urgency should also raise questions. To validate the legitimacy of the emails and URLS, hover your mouse pointer over the link to verify the address.

3. Use multi-factor authentication (MFA)

Implement multi-factor authentication wherever possible for all your online systems. MFA includes one-time passcodes that are often received via email, SMS, or by a mobile app. If a cybercriminal were to obtain a username and password, they would still need to be in possession of the second form of identification. MFA adds credibility to the person seeking access is legitimate.

4. Raise awareness

Educate your employees. One of the most recent and most avoidable BEC vulnerabilities that deserves attention is PEBKAC: Problem exists between keyboard and chair. While no tool or automated software is 100% effective, the best solution to protect your agency is to be well informed and use common sense. It’s important for you to institute a training awareness program for your agency employees who are at the front line of BEC attacks. Make sure employees can spot a BEC email and are aware of the dangers and the impact an attack could have on your agency. Testing your employees is equally as important, as they are your last line of defense. Research programs that offer phishing tests to see how phish-prone your agency is.

Was this article valuable?

Here are more articles you may enjoy.