In a 2021 survey of over 1,400 CISOs conducted by Proofpoint, 70% of UAE CISOs believe human error is their organization’s biggest cybersecurity vulnerability. This makes sense because globally, CISOs believe Business Email Compromise (BEC) will be the biggest cybersecurity threat in the next year.

Formerly dubbed as man-in-the-middle email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Quite often, the attackers impersonate CEO’s or any executive authorized to do wire transfers. Business email compromises cost businesses money, time, and reputation. According to the FBI, BECs are a “$26 billion scam,” that affects thousands of businesses a year.  Some sample email messages have subject lines containing such words as “request payment, transfer, and urgent.”

There are 5 types of BEC scams:

  1. The bogus invoice schemes
  2. CEO fraud
  3. Account compromise
  4. Attorney impersonation
  5. Data theft

BECs can evade traditional security solutions because the scams do not have any malicious links or attachments.

 Protection Tips to Prevent BECs

  1. Recognize impersonation tactics, encourage employees to challenge suspicious payment requests
  2. Be wary of last-minute email account address changes
  3. Don’t overshare on social media
  4. Check email addresses for slight changes
  5. Use Multi-Factor Authentication
  6. Use strong passwords
  7. Don’t trust unknown sources
  8. Verify all wire transfers in person
  9. Provide regular end-user training
  10. Run antivirus software often, enable security features that block malicious emails
  11. Block IPs from parts of the world you don’t conduct business
  12. Monitor the email exchange server for changes and unauthorized rules
  13. Add a banner to emails coming from outside your organization
  14. Log and retain changes to mailbox login and settings for at least 90 days
  15. Report fraud to law enforcement

Business email compromise isn’t going away.  BECs are akin to the Nigerian letter-writing schemes of the 1990s.  Be aware that some insurance companies may not cover BEC’s as a part of your cyber coverage.  The insurance companies look at BECs as common theft or user error.  Educating and training your employees is the best way to combat falling victim to a BEC attack.

In addition to training your employees on the ways, threat actors will look to take advantage of them, engaging with security firms who have battle-tested experience and highly technical abilities will add another layer of protection against BECs. Email monitoring is a crucial defense mechanism of SpearTip’s security services as we instantly add value to your organization upon implementation. It’s nearly impossible for your employees to be perfect, but that’s okay. But as a leader in your organization, ensure you’ve made the right moves to protect your most valuable assets from those inevitable mistakes.