Business Email Compromise
While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.
What is a Business Email Compromise (BEC)?
In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.
As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.
Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you. Here is how they do it:
- Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
- Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
- Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
- Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.
How to Prevent Business Email Compromise
Protect Your Identity
To keep your email account secure, you need to protect your identity.
- Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
- Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware. These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.
Secure Your Email Service, and All of Your Services
Even as you protect your identity, you still need to secure your email service through proper data protection and security services.
- Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
- Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
- Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services. Encrypt files on your local disk, on any file servers, and in the cloud.
Prevent Email and Domain Impersonation
As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.
- Sender Policy Framework (SPF): Authenticates addresses you use to send email.
- DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.
These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.
For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.