October is Cybersecurity Awareness Month, so our blog will spend the next few weeks educating and informing readers about cybersecurity-related topics.
In the past, we’ve discussed phishing scams and the measures you can take to prevent and avoid them. Today, we will talk about a specific type of phishing scam, one that you’re more likely to encounter while on the job: Business Email Compromise (BEC).
Before we dive in, we’d like to acknowledge that we are a managed service provider (MSP) with cybersecurity offerings. While that does give us some obvious bias on the subject, our content is intended to inform readers, and any guidance we offer is based on IT best practices and industry standards.
Business email compromise (BEC) is a form of cybercrime in which scammers impersonate or appear to be trustworthy figures (usually vendors, business partners, or CEOs) to trick someone into sending company funds or confidential information.
Now that you’re aware of BEC, let’s break down what one of these attacks might look like, starting with the sender and their request.
Messages from BEC scammers will generally appear to be credible requests from vendors, business partners or CEOs (often known as CEO fraud). The goal is to appear as someone trustworthy that the target will trust and not question too thoroughly.
Scammers can appear credible through a couple of methods. They have either already gained access to an actual company account or are pretending to be someone by editing a few characters in the username. If it’s the former, they likely already have access to private business information and are looking to dig deeper.
Unfortunately, if someone is sending emails from a legitimate account, it is impossible to identify them as a scammer solely by email. This is why we need to understand the possible red flags in each message portion. That brings us to the request.
These requests will almost always deal with money, private information or access to said money and information. Any requests relating to these should immediately set off alarms in your head, especially if these aren’t tasks you usually deal with. Stop and proceed with caution!
While some of these messages will have the telltale signs of a phishing email, you can never underestimate these scammers. As technology advances, so will their efforts. Approaching each email with a healthy amount of educated skepticism and caution is the best way to remain safe.
Before responding or taking any action, you should use another form of communication to verify that the request is legitimate. While face-to-face is the preferred option, you can also contact the person over the phone via a phone number you already know to be real. Never call an unrecognized phone number from an email that appears fishy.
If the message turns out to be legit, you can complete the task knowing you did your due diligence. Leaders will appreciate the extra confirmation from their employees, especially when large sums of money are at stake.
If it turns out the request was a scam, DO NOT RESPOND.
Depending on where the message originated, you have a couple of options. If the scam email came from a legitimate business account, meaning that the email is compromised, immediately contact whoever is responsible for your IT and report the issue. They should have procedures and protocols in place for an event like this.
If the email was an impersonation, you should still report it to your business’s IT or leadership. They will again likely follow whatever protocols are in place. If you use Microsoft Outlook, you can report the email as spam or phishing by right-clicking it and navigating to “Report” in the dropdown menu.
We’ll also note that these attacks are not always limited to email. You might also receive text messages or even phone calls following a similar method. These require the same amount of diligence and critical thinking from the recipient. There are many threats out there, and an educated workforce is the last line of defense against them.
These scammers could target anyone in your organization, but some might be at a higher risk. Those with increased access to funds or private information, such as human resources, finance or management, could be targets due to their access.
Everyone should receive proper education and training to avoid these threats regardless of roles or permissions.
For starters, any cybersecurity measures in your business should be implemented by a trusted IT partner, whether internal or external and follow IT best practices.
Human discretion can help dictate whether these scams are successful or not, so it’s vital to have security awareness training and education in place. An adequately managed security awareness solution will help educate the workforce and leave them better positioned to deal with potential cyber threats.
Beyond this, email and web filtering, endpoint detection and response and a business continuity solution can all contribute to uptime and safety within your network. If you haven’t already, talk with your current or prospective IT partner about these solutions to learn what they’re doing, what they offer or what your business could further implement.