Why You Should Know About Business Email Compromise (BEC) and What to do to Prevent It
July 6, 2021
One would think that it would be relatively easy to protect yourself from compromising your email account information. Don’t click on sketchy links, double-check your sources, call the phone numbers of the businesses you're dealing with to confirm communications, things like that. But cybercriminals sometimes use techniques to completely circumvent having access to your specific email account.
Let me introduce you to Business email compromise (BEC), also known as email account compromise (EAC). Sounds pretty straightforward, right? Unfortunately, it isn't. With every day that goes by criminals are getting smarter and faster, making scams like BEC increasingly difficult to stop. So, this means we have to make sure we are doing our best to educate ourselves, to protect ourselves.
"[BEC] is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional." - The FBI
How does BEC work?
Step 1. Identify a Target
Targeting mainly U.S. and European businesses, criminals will use information available online on company websites, business and personal social media accounts, etc. to develop a profile on the targeted company and any executives useful to their scheme.
Step 2. Grooming
Criminals will spoof or phish through email, text messages, or phone calls to contact the targeted company's officials who are typically identified in the finance department. Using social engineering techniques, the criminals will try to manipulate and exploit the victim's human nature, to gather information necessary to carry out their scam.
Step 3. Exchange of Information
The targeted individual/company is convinced they are conducting a legitimate business transaction, when in fact they are being intercepted by the criminal. The unsuspecting victim is then provided wiring instructions for the business transaction, which in reality are being wired to the criminal.
Step 4. Wire Transfer
Upon transfer, the funds that are supposed to be going to the legitimate recipient of the business transaction are steered to a bank account controlled by the criminals. Sometimes the criminals will even continue to groom the targeted company into transferring more funds.
What can you do to protect yourself?
Be careful with the information you choose to share online or on social media: By openly sharing schools you've attended, names of family members, your birthday, or where you work, you could be providing criminals with the information they need to guess passwords, answer security questions, and gain access to your accounts.
Don't click on anything in an unsolicited message asking you to update or verify account information: Either by email or text message, if you didn't initiate any changes to your account do not interact with the message. Look up the company's phone number, do not use the number a potential scammer provided, and verify if the request is legitimate using the phone number you found.
Carefully examine the email address, URL, and spelling used in any correspondence: Spelling John vs. Jon, adding extra letters to an email address or URL, disguising email client display names, are a few examples. Scammers often use slight differences to trick you and gain your trust.
Be careful what you choose to download: Only download email attachments from trusted sources, and beware of forwarded email attachments.
Always enable two-factor authentication: Most applications have two (or multi) factor authentication built into their software, so if it's available turn it on to add another layer of security and put your mind at ease.
Always verify payment and purchase requests in person if possible, or by calling the other party to ensure it is legitimate: As well as verifying any changes in an account number or payment procedures.
Note any abnormal behavior from the other party: Trust your gut. If someone is being especially assertive or pushy and pressing you to act quickly, use the above steps to ensure it is legitimate, because chances are it's not.
By following the above steps and always verifying your sources, you will be putting you and your business in the best possible position to protect yourselves from scammers trying to exploit your hard work. Alongside educating yourself, you should make sure your IT infrastructure is actively being monitored for other direct security risks that are evolving every day. CDS would love to help evaluate your current IT needs and take a proactive approach to your security. Visit our Managed IT page here to learn more about how we can help you and lower your IT costs.
Beyond copiers and printers, CDS offers a full suite of technology solutions ranging from Managed Print Services, to Managed IT Services, and Project-Based IT Services, providing our customers a Single Source for all their business technology needs.