As technology and business evolve, so do the cyber crimes that threaten our success. Hackers are always coming up with new techniques to steal confidential company data and exploit businesses in the hopes of stealing their precious cash flow. One of the more prevalent threats of the current era is the Business Email Compromise (BEC).
In essence, BEC is a trick employed by hackers who pose as a trustworthy entity in an attempt to obtain confidential information from unsuspecting employees and steal money from the organization. It is a threat that is even more plausible in these days of constant impersonal email communication, and falling for it could mean serious trouble for your company. To prevent this threat from wracking damage to your company, educate your staff about this issue and implement the following strategies.
What is Business Email Compromise?
As of 2018, business email compromise scams have translated to over $12 billion in corporate losses, and there is no sign that hackers are planning to stop this lucrative scam any time soon. If we didn’t have your attention before, we should have it now.
As mentioned earlier, this scam is essentially the work of a hacker posing as an authority figure, a vendor, or a member of upper management that an employee at an organization is already familiar with to avoid suspicion. These emails are often sent through to the finance department. For the best results, hackers have a list of characters or personas that they find to be most effective.
For instance, they may pose as the CEO of the company with a fake request to transfer money to a new account. Criminals may also disguise themselves as vendors that already work with your organization and make a false request to revise a billing address or change where funds are sent. Other times, a hacker will impersonate an attorney asking for confidential business information. When acting as a lawyer, hackers will often target newer employees who may be quicker to respond out of fear before recognizing the threat.
The real issue with BEC scams is that they can cause damage in any industry, even the medical field. Recently, an email was sent to a medical center in New York by a hacker who pretended to be a senior staff member. In it, they requested the files on hundreds of patients. While it does not seem that the information was used maliciously, any of the confidential information in those files, including birthdates, insurance information, and more, could have been used or sold on the black market for financial gain.
How Hackers Obtain Email Contacts
When it comes to limiting the dangerous effects of business email compromise, it is all about preventing exposure of confidential data to prying eyes. In some cases, the criminal can hack into the network with malicious software, install the malware, and then extract email addresses. However, in other cases, they will need outside help.
One of the easiest ways to gain access to your system is by guessing your password. Hackers will often use a technique called a brute force attack, which attempts a barrage of commonly used passwords in hopes of finding the correct combination. Outside of guessing, hackers can also use the details that employees share on social media, such as the street they live on, the family pet, or other specific details as clues.
Once the hacker gains access to your system, they can then look through your email contacts and company directories to obtain the information they need. To keep company data secure, all employees should use a complicated password that has a combination of letters, numbers, and special characters, and all passwords should be updated regularly.
In addition to these deceitful tactics, hackers can also find the email addresses of potential victims by searching the contact page on the corporate website. They may also search a current or former employee’s LinkedIn page to find their company email address of those of their co-workers.
How to Prevent BEC Scams
Since BEC scams are real and frequent, the management team at your organization must communicate with their staff about how the threat can be avoided. A business email compromise is just another form of social engineering, similar to when users receive phishing emails at home. The hacker is sending an email that is made to look like it is from a person or entity that you know.
To separate the malicious emails from authentic communications, it all comes down to the details. If you receive an email that appears to be from a legitimate source, but the request is unusual, look at the email address. In many cases, hackers will use an email address similar to the real one but add in an extra letter or piece of punctuation. Also, like phishing emails, there are typically red flags to consider, and they can include:
● Misspellings in the subject or body
● A general greeting, such as “To whom it may concern”
● A request asking you to click on a link or attachment
If you are still unsure if the email is legitimate, pick up the phone and call the individual or vendor and confirm that they sent the request.
Beyond watching for the signs, all companies must take the proper preventive precautions to secure their corporate data. Generally speaking, many predict these precautions to be a part of the future of cybersecurity. These strategies include encrypting all incoming and outgoing data within your organization, frequent backups, and putting your security protections in the hands of professionals via cloud-computing services.
Sometimes it may seem that with every new day, there is a new security threat, but it is not all doom and gloom. By staying aware of common threats, including business email compromise, you can defend against hackers and protect your precious financial information.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.