Cybercriminals recently stole $5.9 million from a public school in Connecticut. How? They gained access to the COO’s email account. From there, the bad actors monitored conversations within the email account and then impersonated the COO to request vendor payments to a fraudulent bank account.
With the help of the FBI, the school was able to recover $3.6 million. That leaves the public school system – including its teachers, staff, and students – $2.3 million short for the school year.
This situation is just one example of business email compromise.
Business email compromise (BEC) is a scam where cybercriminals send an email from a seemingly legitimate source requesting money or sensitive information. A BEC is also known as an email account compromise (EAC) in non-business situations.
Scammers may spoof an email account or website, send spearphishing emails, or use malware for financial gain.
BEC can happen in a variety of different ways, so let’s dive into a few examples of how it may look:
All BEC scams have one thing in common: they want to steal your money or sensitive information that can help them steal money.
There are many ways you can protect your business from BEC scams, including the following:
Conduct regular cybersecurity awareness training for employees to educate them about phishing emails, social engineering tactics, and the importance of verifying email requests for sensitive information or transactions.
Enable MFA for email and critical systems to fortify security measures, thwarting unauthorized access attempts by adding an additional layer of protection.
Establish a rigorous verification process for financial transactions and payment requests, including scrutinizing the legitimacy of requests made via email or alterations in payment instructions.
Implement strict password policies that require regular password changes. Discourage the use of easily guessable passwords while encouraging the use of strong passphrases.
Continuously monitor email accounts for any suspicious activities such as multiple login attempts or modifications in account settings.
Restrict access to sensitive systems and data, granting privileges solely to employees who necessitate it for their specific roles.
Develop a comprehensive incident response plan that is regularly tested to ensure swift and effective responses in case of a BEC attack. Clearly define roles and responsibilities within the incident response team.
Thoroughly verify the identities of vendors or suppliers before engaging in any business transactions.
Utilize encryption techniques and secure email gateways to safeguard sensitive data during transmission, ensuring unauthorized individuals cannot gain access to confidential information.
Employ cutting-edge email filtering solutions, like Verve IT’s Spam Protection, to detect and block phishing emails. Implement email authentication protocols such as DMARC, SPF, and DKIM to prevent email spoofing.
It’s essential for organizations to regularly update their security measures and educate employees about the risks associated with BEC and similar cyberattacks.
If you want help protecting your business from BEC and other threats, consider our Managed IT services, which include Spam Protection, other cybersecurity measures, and more.