Business Email Compromise Prevention, Response and Resilience
When people think about cybercrime, they think about foreign entities hacking the largest of financial institutions in the United States. What may come as a surprise to many is that email attacks, like phishing and spear phishing attacks, are a part of a robust cybercriminal ecosystem.
Many cybercriminals operate like a regular business — but the goal is to hack your small business email account, get as much information as they can and, in many cases, sell the information on the dark web for an easy profit. According to the FBI’s 2019 Internet Crime Report, there were 23,775 complaints of business email compromises, resulting in more than $1.7 billion in losses in the United States.
Business Email Compromise: An Evolving Landscape
The long-used, generic phishing email scheme is starting to see lower success rates because recipients are generally getting wiser to these tactics. As a result, hackers are becoming more sophisticated in their approach and have turned to spear phishing.
Spear phishing is a tactic where hackers conduct research to learn more about their small business targets. They’re not only gaining access to an email account but are reading through emails to see what projects the business is working on, who they are working with, who their vendors are, what bank the business uses and much more.
The hackers use this information to send emails to business contacts and make what seem like normal, reasonable requests within the context of other email exchanges. This is how cybercriminals are preying on local communities.
Ways Cybercriminals Hack Communities From Within
Small business owners operate their businesses to serve their customers. When they receive an email with a reasonable request, it is their instinct to follow the directions and fulfill the request. Cybercriminals know this and are sometimes able to get a leg up on their targets because of it.
Here’s an example: Your insurance agent receives an email from your small business email account giving real information about a conversation you recently had via email. It contains a link to retrieve a secure document from an online secure message service like DocuSign, PandaDoc or AdobeSign. Since the information in the email checks out, the insurance agent is inclined to click on the link and provide their username and password. Little does the agent know that your email address was hacked and that they have provided their secure document service login credentials to hackers, who now have access to their DocuSign account and the sensitive documents and information stored in the database.
In another possible situation, a hacker could gain login credentials to a company’s employee records database on a cloud-based HR server, allowing them to view employee W2 information in order to file fraudulent tax returns and profit from the tax refunds.
Once a cybercriminal gains access to a small business email account, they may be able to find bank account statements, account numbers and correspondence with the bank. They can use that account information to print fraudulent checks or to initiate wire transfers that are fraudulent, yet believable, since they will be able to provide context from real recent conversations.
Improve BEC Security and Prevention
You can greatly reduce the likelihood of business email compromise (BEC) at your small business by employing BEC security and prevention tactics. For instance, train your employees to look at an email and decide if it’s something that actually needs their attention and if there is a business need for them to deal with that email. The work computer, after all, should be for business purposes only.
Also, be on the lookout for suspicious links and email addresses that appear to be from reputable businesses but may be spelled incorrectly or inconsistently with their brand standards (fed-ex.com instead of fedex.com, for example).
One more important thing is to use authenticator apps with two-factor authentication for your cloud-based services, including your email account. Two options are Google Authenticator and LastPass.
Typically, 48 hours is the longest a hacker will spend trying to hack a small to medium-size business. If you can provide them enough friction during those first 48 hours, they are going to get frustrated and move on.
Response and Resiliency Controls for Business Email Compromise
The threat of business email compromise necessitates that your small business should not only work toward prevention, but also develop, practice and maintain response and resiliency controls by setting up additional checks and balances with your business partners, including your bank.
Check fraud is a substantial threat to a business, and with only preventative measures in place, you may find yourself in trouble later on. With Positive Pay, business owners submit all of their issued check files within Business Online. Northwest Bank then compares any checks that have been cashed or deposited against your issued check file. If a check does not match the issued check information or is already marked as “paid,” it will be listed on an exception report. Northwest Bank will then notify you and allow you to report the checks as fraudulent or inaccurate before the funds clear.
To learn more about Positive Pay or how we can help you with secure treasury services, contact a treasury services representative today.
The Author
Jamie Saker
Chief Information Security Officer, ITS Security
LinkedIn
Email
Related Articles
View all articles