What You Can Do To Protect Your Enterprise Against BEC?
There are a number of ways to proactively arm your organization against Business Email Compromise (BEC): strategies and software that prevent and contain attacks, as well as a new category of cyber insurance that covers your enterprise in the event of loss.
Self-Protection: Cyber Security Awareness
On the first front, it is imperative to create employee awareness of the techniques being used by cyber criminals to infiltrate enterprise email systems. This enlists your own organization in protecting your security, by training them to recognize a BEC attack.
Executives involved in funds dispersal should be wary of any communication that is exclusively email based and should employ a secondary means of communication to verify requests. A frequent ploy of BEC actors is to request that payments originally scheduled for check dispersal be made via wire instead. Two-factor verification should be enabled, particularly on cloud-based email, IT and financial systems.
Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker.
Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based email accounts. Additionally, some countries ban or limit the use of encryption.
Executives should be mindful of phone conversations which may be illegitimate. BEC criminals often call requesting personal information for verification purposes or acknowledging a change in payment type and/or location. One way to counter this technique, is to establish code phrases that would only be known to the two legitimate parties. Be suspicious of requests for secrecy or pressure to take action quickly.
Avoid free web-based email accounts: Establish a company domain name and use it to establish company email accounts in lieu of free, web-based accounts.
Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchical information, and out-of-office details.
Immediately report and delete unsolicited email (spam) from unknown parties. DO NOT open spam email, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel. Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the email request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments. Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and type in the correct email address or select it from the email address book to ensure the intended recipient’s correct e-mail address is used.
Consider implementing two-factor authentication for corporate email accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s email account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, a detection system for legitimate email of abc_company.com would flag fraudulent email from abc-company.com.
Register all company domains that are slightly different than the actual company domain.
If you discover a fraudulent transfer or believe your email system has been compromised, time is of the essence. First, contact your financial institution and request a recall of the funds. Second, contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds. Finally, regardless of dollar loss, file a complaint with the IC3 (www.ic3.gov) or for BEC victimes (www.bec.ic3.gov), which can assist both the financial institutions and law enforcement in recovery efforts.
Despite the most vigilant efforts at prevention, enterprises are being targeted by criminal organizations with elaborate and sophisticated email fraud schemes. The techniques are continuously being honed to elude detection. Even the most robust email system can be easily manipulated for fraudulent purposes if login information and passwords get into the wrong hands. Unfortunately, passwords are protected only by your personnel, who unintentionally make mistakes. If your email system is compromised and funds or sensitive information is stolen, your company must be protected. Basic cyber insurance policies can cover broad categories of damage, or a new type of hybrid insurance, like that provided by Mailsurance, can offer the dual protection of a policy that compensates against damage coupled with proactive technologies that monitor your email system 24/7 to protect an event from occurring and alert you the moment an anomaly is detected.