Top Tips for Preventing BEC Scams
Business email compromise scams have cost companies billions over the past several years. How can businesses best protect themselves against a BEC scam? We asked a panel of experts.
26 Cybersecurity Experts & Business Leaders Share Their Top Tips for Preventing BEC Scams
Business email compromise (BEC) scams are a type of cybercrime that has become increasingly prevalent in recent years. Also known as a “man-in-the-email” attack, BEC scams are defined as a cybercrime where an attacker “hacks into a corporate e-mail account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.”
It is vital for organizations to be vigilant about protecting against BEC scams because they can have a tremendous financial toll on businesses. The most recent cyber crime report released by the FBI’s Internet Crime Complaint Center (ICCC) found BEC schemes to be the costliest of all cybercrimes, leading to losses of approximately $1.8 billion in 2020 alone.
This represents an increase from losses of $1.7 billion and $1.2 billion in 2019 and 2018 respectively, highlighting the fact that losses related to BEC scams are increasing year over year. However, while this type of cybercrime has proven to be devastating for all kinds of businesses, from large hospitals to tech companies, most still lack the proper safeguards to protect themselves against an attack.
So what exactly can businesses do to protect themselves against BEC scams?
To learn more about the most effective ways companies can protect against BEC scams, we reached out to a panel of cybersecurity experts and business leaders and asked them to answer this question:
"What’s your top tip for preventing BEC scams?"
Meet Our Panel of Cybersecurity Experts & Business Leaders:
Read on to learn what our experts had to say about the best ways companies can protect against BEC scams.
Todd Gifford is the Chief Technology Officer of Optimising IT.
“The easiest way of preventing the majority of BEC attacks is pretty straightforward and very often included in your email service…”
MFA, otherwise known as multi-factor authentication, 2FA, or two-factor authentication, is an excellent way of adding additional security to your email account. MFA is provided for email by Apple, Microsoft, and Google, to name a few of the major players. It’s now much easier to set up and use, often via an app on your smartphone, and is unobtrusive for the most part. If you don't have this set up yet, do it today. It's quick, easy, and will prevent 99% of BEC attacks on your account.
It’s vital to do so as business email compromise is one of the most prominent forms of cybercrime around.
Why? There is a wealth of information of interest to attackers in your inbox. With most email systems accessible from anywhere with just a username and password, it makes them an easy and valuable target. There are many reasons why an attacker might want access to your email, but the overriding reason is money. Monetizing you in some way can include:
- Looking for invoices or financial information to carry out some fraud. This usually involves redirecting payments to a new bank account or just looking for credit card data.
- Impersonating you and asking someone you know for money.
- Launching an attack from your email account onto someone else, using your legitimate email as a means to evade spam filters.
- Locking you out of your account or threatening to release sensitive information the attacker finds for a fee.
How do attackers get into your email?
- By 'phishing' for your username and password, often with a 'please update your security details' email and fake website.
- Using a password spraying technique. This is where attackers try credentials stolen from another website and try them in lots of places, hoping for a hit where someone is using the same username and password combination. As so many usernames are people's email addresses, this has a high hit rate.
Dave Hatter is an accomplished, enthusiastic, award-winning technology professional and servant leader with more than 25 years of experience as a software engineer, project manager, and instructor. His entire career has been focused on software development and cybersecurity, and he’s led teams that designed, developed, and deployed roughly 200 successful custom software solutions across a wide variety of organizations and industries.
“My top tips for protecting against BEC scams are...”
- Require strong, complex passwords on accounts.
- Use a password manager like LastPass.
- Enforce MFA on all accounts, particularly email.
- Look for indicators of compromise in email systems such as external forwarding.
- Train users about cybersecurity, especially phishing in all its forms.
- Phish test users with a tool like KnowBe4.
Stephen Bedosky, CPCU RPLU
Stephen Bedosky is the head of York International's Executive, Professional, and Cyber Liability practice with his Chartered Property & Casualty Underwriter and Registered Professional Liability Underwriter designations.
“We've seen a number of insurance companies looking at 3 ways which policyholders can help prevent business email compromises…”
- Train your employees often about what to look for in emails that may be dangerous, and test them oftens: A business can have the best firewalls and fanciest software, but the weak link in an organization might be a new hire who is rushing trying to impress their new boss.
- Establish protocols for what will be sent over email, and what needs to be done with a phone call: Having an institutional understanding that the CEO will never email instructions to wire funds without also calling to confirm a call, or that any change to bank account information must be done via phone call, can help prevent BEC from leading to a loss of funds.
- Include EXTERNAL EMAIL prompts when an email comes in from outside the network: Email prompts like “[EXTERNAL EMAIL - USE CAUTION]” alert employees to situations where emails coming from outside the network might not be what they appear to be. Usually in red text, it acts as a simple reminder to employees that something may be amiss.
Debra Richardson is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies. She now works with accounts payable teams to implement authentication techniques, internal controls, and best practices so they “Pay The Right Vendor.”
“I consult with accounts payable teams of all size companies on how to reduce fraud and pay the right vendor. My top tip for this group is to use authentication…”
Authentication protects the company, the vendor, and the team themselves from fraudulent payments. That’s why they should authenticate who they receive requests from to change vendor banking for a payment, for example.
The same way your bank authenticates you before discussing information on your account, you should be doing it with vendors. Ask two to three identifying questions, and only if they answer correctly should you start communication. This can be the difference between talking to your vendor or talking to a fraudster.
Jack Zmudzinski is a Senior Associate at Future Processing.
“Scammers often rely on panic or urgency to carry out their dastardly deeds as well as impersonating vendors and using trick domain names…”
The first thing you need to do is to make sure that all staff members are aware of these things. You then need to create a culture of compliance while building a layered defense with your technical controls. Companies need to put proper strategies in place to make sure that security is a company-wide concern.
Tanja Jacobsen, MBA, MS, PMP, ACP is the Director of Field Marketing for SSH.COM/SSH Communications Inc, a leading provider of advanced Intelligent Access Control solutions designed to secure modern enterprises and make digital activities safer.
“My number one tip is that training, training, and retraining is essential…”
You need to educate your employees about this fraud technique and make sure that their cyber security awareness is top of mind. You can do this by including messaging in various employee communications, such as through internal email messages and newsletters.
As part of the training, conduct regular BEC simulations with staff to benchmark their awareness of the latest scams. You should also review your processes relating to the distribution of sensitive data or information to external sources, especially when done in bulk. It’s also vital to ensure that any BEC scam incident detected is promptly reported and managed.
From a technology standpoint, protect your business emails by deploying multi-factor authentication. Another way to further impede cyber criminals' ability to breach your data is to block email auto-forwarding and enact strict email content filtering to only allow recognized domains.
Richard Bailey is the Lead IT Consultant at Atlantic.Net, a growing and profitable cloud hosting company based out of Orlando, Florida.
“Front-line employees are the gatekeepers to your business, so it is imperative to ensure they are trained to a high standard to reduce risk...”
It’s important to keep in mind that email is the digital front door to every business, and the majority of the time the mailbox is managed by a human. Not everyone is a cybersecurity expert, so many employees may not understand the consequences of opening a rogue attachment.
Hackers will target the weakest prey—those who have not been trained how to spot a phishing attempt, a fake invoice, or a purchase order. It’s therefore paramount to train employees on how to spot the telltale signs of a fraudulent or spear phishing email campaign, as well as attempts to groom them to build a false sense of trust to extort money.
With a strong commitment to online security and digital freedom, Eric is working hard to deliver the content and analysis his audience is looking for. His other passions include web development and finding new ways to use VR. He is a Cybersecurity Analyst at Security Tech.
“BEC scams are getting more and more sophisticated, so it’s important to keep up with the current trends…”
If you are a business, providing frequent training for your employees would be the number one tip I recommend on how to avoid and even recognize potential threats when it comes to sending or receiving sensitive information via email.
Of course, when you receive an email asking to click on a certain link that looks suspicious, your first instinct is not to click on it. But what if the email came from your boss? Or if that email from your boss doesn’t have the company domain extension, but a Gmail one instead? Those are the things that are worth paying attention to, so regularly training and educating your employees is crucial.
The real challenge is when you deal with customers who are not familiar with all these sophisticated scams. One of my clients is a realtor, and their biggest challenge is to make sure the home buyer knows what the process is to wire money for their down payment securely.
In one instance, my client received a phone call from one of his clients saying they received an email with wire instructions from an escrow company, that even included the agent’s email address. Luckily, the client noticed an extra letter in the email address and thought the wording of it all sounded strange, so they called their agent to confirm. This fortunately had a happy ending, but not everyone has the same fate.
In this case, the tip is to inform the client from the beginning on what the escrow and money wire process will look like, including a phone call before and after they receive a password-protected email with an account number that can be confirmed via a phone call as well. It may feel like a little overkill, but you can never be too careful.
Howard Poston is an Author at Infosec Skills.
“I recommend implementing separation of duties for high-risk actions…”
BEC attacks are designed to trick the target into sending money to the attacker or taking similar actions that hurt the company. By making it necessary for multiple people to sign off on high-value transfers, an organization can decrease the attacker's probability of success.
Felecia Foy is an IT Support Specialist with Guardian Computer, an IT services and support company headquartered in New Orleans. She assists clients on the helpdesk and provides systems integration to continually improve proactive monitoring systems. Foy holds a B.S. in computer science and mathematics from Loyola University New Orleans.
“BEC scams are becoming an increasing threat to many companies. However, there are ways to protect yourself from these types of scams…”
In BEC scams, the attacker impersonates an employee or executive’s email account in order to gain sensitive information or to manipulate the target into completing fraudulent money transfers. These attacks typically do not contain suspicious links, so they may look legitimate to unsuspecting victims.
For this reason, employing corporate policies to monitor for malicious emails can go a long way in protecting your business. For example, email filtering and adding alerts for when an email comes from outside the organization can warn employees that the email may be harmful.
Data loss prevention software can be implemented to scan emails and email attachments for sensitive information and encrypt the email to protect the sender and help avoid compliance violations. Additionally, company-wide cybersecurity training can keep employees informed and vigilant about BEC scams and other types of cyberattacks.
Nathan Little is the Senior Vice President of Digital Forensics & Incident Response at Tetra Defense.
“There are some tell-tale signs of how this crime unfolds, and several ways to prevent it…”
BEC can encompass several forms of deceptive cybercrimes and can be difficult to spot during communications. In an effort to keep legitimate email accounts from being compromised, Tetra Defense first recommends implementing unique accounts (one account per person), unique passwords (one password per account), and a password manager to ensure strong passwords are used across an organization's toolset, and that passwords are not repeated.
Maintaining unique passwords for accounts is especially important in the case of breaches that happen outside of the organization, as any breach can yield account credentials. If those credentials are duplicated across multiple accounts, threat actors are sure to find them and use the stolen credentials elsewhere.
Tetra also recommends implementing multi-factor authentication (MFA), both technically and as a philosophical principle. Before BEC leads to financial damages like wire transfer fraud, be sure to have a system in place that verifies the authenticity of the second party via a phone number or other credential that was not shared in a similar email thread.
When logging into existing accounts, implement MFA as a safeguard against threat actors who have come into contact with stolen credentials. They will more than likely not be able to bypass a second method of authentication if they only have a password and email address.
Victor Fredung is the CEO of Shufti Pro, an AI-powered identity verification service provider.
“I always recommend multi-tier security to protect businesses from BEC scams…”
First, adding multiple layers of security can help you get the right customers onboard. Then, adding fingerprint or face biometrics can help you protect business accounts by preventing fraudsters from acquiring any confidential information.
Lee Grant is the CEO at Wrangu.
“I recommend building a multi-layered defense using technological controls…”
From a technological standpoint, BEC isn't particularly sophisticated, despite its psychological manipulation. Spear phishing or spoofing an internal email address is the most common BEC attack. IT controls, such as virtual private networks (VPNs) and application-based multi-factor authentication (MFA), can help avoid or identify them.
Using encryption to authenticate emails and allow users to securely exchange data is another effective anti-BEC technique. Encryption software converts data into a code that can be transmitted over a network. Without a 'public key' to decrypt the data, the transmission is unintelligible.
James Idayi is the CEO of Cloudzat.
“My number one tip is to look for minor changes in email addresses…”
By resembling real clients' names, minor changes may make fake email addresses look legitimate. In an email address, the letter l is one of the weakest characters. Is it a lowercase l or a 1? They may be indistinguishable depending on the typeface used. When using Courier New for both the “l” and the “1,” distinguishing between them is extremely difficult. This font trick is used by attackers frequently.
For all email accounts, allow multi-factor authentication. Multi-factor authentication means that attackers must have something else in their hands in order to access your email—a phone, card, watch, fob, or authentication app, to name a few examples.
Bram Jansen is an experienced cybersecurity expert at VPNalert.com, with a long-term history of working in cyberspace. His whole career has been focused on helping businesses secure their information online.
"To protect against BEC scams, you should review existing processes and procedures…"
For financial transfers and other essential transactions, such as sending confidential data in bulk to outside bodies, review existing processes, procedures, and separation of duties for financial transfers. If required, add extra controls. Insider threats may breach division of duties and other precautions at some stage, so risk assessments may need to be redone.
Consider implementing new policies for “out of band” transactions or urgent executive requests. Staff members should be alerted when they receive an email from an executive's Gmail or Yahoo account, but they must also be aware of the new dark-side techniques. You'll need authorized emergency procedures that everybody understands.
Shahid Hanif is the CTO of Shufti Pro, an AI-powered identity verification service provider.
"Companies should employ verification methods to screen each such request…"
Request the email sender to go through a real-time identity verification method each time a client makes such a request. The verification could be done through facial recognition or two-factor authentication.
Online identity verification is a rational solution as it gives immediate results and does not create any trouble for the end-user. Also, the obvious security measures will give your commitment to the security of your retailers or clients.
The employees must also be trained on a regular basis about the most modern trends in cybersecurity and different kinds of cybercrimes. This will assist them to recognize suspicious emails and fake fund transfer requests.
As soon as you find a BEC fraud, you should report it to the concerned authorities. This will help to guard your business against such attacks in the future.
Nick Santora is the CEO and Founder of Curricula, a cyber security awareness training company. He founded Curricula after nearly a decade at the North American Electric Reliability Corporation (NERC), the enforcement agency responsible for regulating the power grid across North America. Nick is an internationally recognized cyber security expert and speaks regularly on the topic of influencing employees within security awareness programs.
"The biggest lesson is to train employees to understand what a phishing email looks like…"
BEC scams are a growing threat and affect businesses of all sizes. With a simple targeted email, hackers successfully scam thousands of organizations each year, resulting in billions of dollars in losses, all the while remaining under the radar.
A lot of business owners and leaders think, “Who would want to hack us?” But organizations of any size can be a target for a phishing attack.
Hackers will use a variety of social engineering tactics to gain your trust to give up your credentials and transfer funds. Modified email domains may also be used to convince you they are a trusted employee, partner, or vendor.
Suspicious indicators of a BEC attack may include unusual timing, misspelled domains, modified account details, a sense of urgency, and using private or misleading email accounts.
We built a phishing simulation that was designed to teach organizations and their employees about what to expect from the bad guys. It was pretty realistic and clearly timely when we all needed help talking about a difficult topic.
Our customer’s feedback was overwhelmingly positive because it gave them a story to communicate to their employees about how bad hackers can be.
Faizan Haider is a researcher, editor, and marketer at PureVPN. He enjoys writing about cyber security, IoT, ethical hacking, and anything related to technology.
"Educating your employees about how BEC scams work is the best way to mitigate BEC attacks…"
Also, by making your sensitive and important employees’ online presence restricted, it will make it tough for scammers and hackers to get important information for the attack.
For example, do not let them openly mention your company or business email addresses on platforms like LinkedIn or any platform on the internet. Tools like Hunter.io and Rocket Reach can easily crawl emails from multiple websites along with your employees’ emails and other details.
Gil Friedrich brings more than 18 years of leadership experience to Avanan. As ForeScout’s VP of R&D and Technology, Gil expanded their technology into mobile security and cloud services while developing the partner integration ecosystem. He holds a B.Sc. in Physics and an M.Sc. in Computer Science from Tel-Aviv University.
"The best defense against business email compromise is internal context…"
With internal context, you can create role-based contextual analysis, which allows an email security solution to determine if an email from a CEO is legitimate or a scam.
When an email security solution without context sees an email from the CEO to the CFO, it will be the first time it has seen such a conversation. It won't know, then, if a gift card is a common request or something out of the ordinary.
Therefore, creating internal context by scanning all emails, including intra-company, as well as advanced account takeover protection, can help suss out which emails are legitimate and which emails are scams.
Ethan Johnson, MPSA
Ethan Johnson, MPSA is a Cyber Crime Investigator at Georgia Southwestern State University Police Department.
"First, educate your employees to look out for scams that can compromise their emails…"
Second, dual-factor authentication should be implemented across every business-controlled account, particularly email. This may be inconvenient, but it is worth it. Third, employees must be confident and educated on what actions to take when they realize their email has been compromised.
It should be encouraged in the cybersecurity space as well to notify businesses that their emails have been compromised as many businesses do not notice when an employee’s account has been compromised. I have investigated numerous fraud and scam cases, and these steps would have prevented or quickly remediated every single one of them.
Phil Strazzulla is the Founder and CEO of SelectSoftware Reviews.
"It’s critical to keep in mind that BEC scams don't require any kind of malicious files…"
Instead, they use a compromised email address, either one that is valid or looks valid, and impersonate a legitimate vendor requesting payment. Sometimes, they'll even impersonate someone at the same company requesting a funds transfer seemingly from one company account to another.
In these cases, because there are no files or cyber attacks to defend against, the only way to protect against a BEC scam is to train your employees and implement policies to render these scams useless.
These scams rely on making a single person feel that they are completely safe in making whatever type of money transfer the scammer is requesting. If the person balks a little, the scammer will then apply pressure and make it seem like there is a deadline.
Prevent these scams by ensuring no one person can ever authorize these types of transactions. If you insist on two levels of authorization, you double the chances of these types of scams being caught.
Also, ensure that the policies surrounding requesting funds are clearly laid out and no one attempts to go around them, up to and including the CEO.
Tim Culpepper is the Creator and Founder of Conexa.
"The best protection against BEC scams is to carefully scrutinize all emails in the organization…"
You should be careful of irregular emails sent from C-suite executives and higher management, as they are used to trick employees into acting with urgency. Review all emails that mention a request for a fund transfer and investigate their authenticity.
Jazib Zaman is an award-winning entrepreneur and philanthropist. He is the CEO of TechAbout LLC. Having founded several successful online businesses including WPArena.com and WPDesigner.com, nowadays he is working on a tech magazine covering Silicon Valley and more.
"In order to differentiate your employees from the scammers, implement multiple independent signatures..."
These signatures not only ensure the security of high-value transactions but also make sure no intruder gets into the system. These digital signatures are unbreakable and very efficient to give access to only authorized people. Moreover, you should make sure to work only with the established vendor accounts so that all of your transactions are streamlined and verified.
Robert Siciliano is a Security Expert and Private Investigator with 30+ years of experience. He is a #1 Best Selling Amazon.com author of 5 books and the architect of the CSI Protection certification, a Cyber Social Identity and Personal Protection security awareness training program. Robert is a frequent speaker and media commentator, CEO of Safr.Me, and Head Trainer at Protect Now, LLC.
"Be mindful that while phishing simulation training is the go-to response for mitigating BEC scams, it is only part of the equation—and it is not even the most significant part…"
Where phishing simulation training misses the mark is that it only speaks to the specific security problem, and it does not address security as a whole.
Providing security appreciation training gets to the heart of what security is and isn't and the benefits security provides employees. All security is personal. Humans don't want to believe that these things can happen to them, nor do they do much about it even though they've been told how and why.
By making security personal and communicating how it affects the individual, employees will begin to appreciate the value it has in their own lives. In turn, they will become much more capable of conducting themselves in a professional environment securely.
John Li is the Co-founder and CTO of Fig Loans.
"Focus on the training of staff on prevalent BEC scam threats and trends…"
As the CTO of a leading business in our industry, data and information are crucial to the livelihood of every business. Taking into account the transfer of data through private networks and servers, training staff is certainly one precaution that is crucial to protecting yourself from BEC scams.
You can do this through the consistent distribution of content that provides awareness through security. Flagging suspicious emails should be a practice, and emergency procedures and measures should be taken when these potential threats are encountered.
By reviewing security protocols and making sure that every staff member is kept in the loop and up to date with improving management and security systems, these threats could be mitigated. This is the only way to adapt to the changes of BEC scams and attacks.
Andrew Winters is the Co-Founder at Cohen & Winters.
"As a law firm, we have many measures in place to protect our business against BEC scams..."
BEC scams affect businesses all over; however, law firms are especially susceptible to these scams. They hold important and confidential information, which puts us at higher risk.
At our law firm, we have made education on hacking a priority for all of our employees. This is because supplying training and education to employees is one of the most important things a business can do to protect itself from BEC scams. We believe that the more all of our employees are aware of the red flags, the less susceptible we are to security breaches.
On top of this, we use a high-security VPN and change all of our passwords regularly using complex sets of numbers and letters.