Combatting Business Email that Compromises Your Business Security

Posted - July 8, 2022

Don’t let your employees be victim of email scams that compromise your business!

Cyberattacks sound complex but some are quite simple and arrive in a place employees use every day: their work email Inbox.

You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts—but first need their prey to send them money to make it all work to plan. It’s an oldie but goodie. With the knowledge we have today, how does it keep working? Simple. The email keeps getting reinvented to work on new, unwitting victims and is now considered the most damaging cyberattack in the world. The scam is so effective and used so often that BEC scams currently outnumber ransomware attacks.

In fact, according to the FBI’s Internet Crime Complaint Center (IC3), in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016! The number of BEC incidents also rose by 61% between 2016 and 2020. Quickly following a real-time event taking place in the world, like a question of trust publicized about a company or interpersonal relations, or even the ongoing COVID-19 pandemic, BEC emails morph to become more sophisticated and strike quickly. Such as:

  • Healthcare entity provides criminals posing as trusted vendors with access to much-needed personal protection equipment.
  • An individual convinced employees of a large social media firm that they were the CEO and got handed personal payroll information about staff.
  • A non-profit organization was fooled into transferring a large loan to a business partner right into the hands of the threat actor.

Educating employees on how to protect themselves and your business from a BEC attack has become essential. Everyone assumes it is common sense and it is not. These harmful emails play on trust, like when a person in power at the executive level requests wire transfer information. What seems to be a red flag email is often responded to with private and harmful information because an employee thinks they do not have a choice or must comply quickly. Training should cover that an employee must confirm directly with their point of contact details of the request. However, many people do not. It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised ruse.

From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection in place to help identify malicious behavior, alert of the threat, and inform the correct response and remediation measures. This would include:

Monitoring Normal Looking Behavior for BEC Threats On-Premises and in the Cloud

What looks like normal user email activity can be a BEC threat. Scammers rely on their emails looking as normal as possible. With an increase in remote work, companies are relying more on cloud services like Microsoft® Office 365® which puts data into a complex environment that’s often under-protected. When they can get access to Office 365, threat actors get valuable data with just a few clicks. Too often, employees think firewalls will protect them, but a firewall cannot monitor suspicious activity, especially Office 365, OneDrive, SharePoint, or other cloud-hosted applications. The same applies to monitoring of your endpoints for suspicious activity. Once past a perimeter defense, it is hard to see a threat when it appears normal. That is typically when threat actors acquire user access credentials or other damaging business information.

Having Enough IT Security Staff

If in a leadership or key management role at a company, if something suspicious occurs, you should know. Immediately. But do you have the staff to monitor your environment 24/7? Too often many businesses lose precious time between an attack and when a staff member finally sees it. That delay in time is the difference between defending the business or catastrophic damage to the business. Companies unable to monitor their environment 24/7 lose the force multiplier of managed threat detection and response.

While there are many aspects to improving your defense in-depth, the following from the FBI elevates awareness to avoid BEC attacks. This list is comprised of good and effective tips to share with employees:

  • Be skeptical—Last-minute changes in wiring instructions or recipient account information must be verified.
  • Don’t click it—Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email.
  • Double check that URL—Ensure the URL in the email is associated with the business it claims to be from.
  • Spelling counts—Be alert to misspelled hyperlinks in the actual domain name.
  • It’s a match—Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s coming from.
  • Pay attention—Often there are clues with business email compromise, e.g.
    • An employee who does not normally interact with the CEO receives an urgent request from them
    • Data shows an employee is in one location at 1 p.m. but halfway around the globe 10 minutes later
    • Active activity from an employee who is supposed to be on leave
  • If you see something, say something—If something looks awry, report it to your managed service provider or IT Security supervisor. And if you have been a victim of BEC, file a detailed complaint with IC3.

To learn more about business email compromise threats and defense against them, Sanapptx can provide you with guidance, education, and technology to strengthen your security posture. Give us a call at 214-447-0244 and let’s discuss.