Picture this: You’re the finance manager at a fifty-person manufacturing firm. Your best customer’s account is overdue – unusual, as they typically pay in full. Your customer, however, insists they’ve already paid and presents proof from the bank. So why didn’t you receive the payment?
Business Email Compromise (BEC) has cost businesses over $12.5 billion since 2013, and it’s a trend on the rise with a 136% increase in losses from 2016 to 2018.
Organizations with customers paying large and/or ongoing invoices are key targets. A few examples include construction companies, professional services firms, and security systems integrators. Ultimately, BEC can affect all businesses in some form. The key to stopping it is to know what you’re looking for.
E-mail or E-fail?
While tactics vary, a typical BEC attack has three parts:
The Key: Attackers collect stolen email addresses and passwords from data breaches, often found on the Dark Web. With more than 80% of people known to reuse passwords, the attacker just needs to find one working set of compromised credentials to get in the door.
The Break-In: The attacker infiltrates a key employee’s email account – typically someone in finance. They monitor emails, looking for an opportunity to strike and learning details (such as project specifics, contacts, and even nicknames and conversation style), so they can sound convincing.
The Attack: The attacker impersonates the employee, using their actual email account, alerting customers to a phony “change in payment instructions” and directing your customer’s payments to their accounts. The attacker redirects replies to themselves and deletes all settings and sent emails to avoid detection.
To make matters worse, you likely won’t know until it’s too late and your customers have paid the attacker. By the time the payment has gone past due and you hear from customers that they “already paid,” the attackers will be long gone.
Don’t Compromise Your Relationships
From a business standpoint, BEC can be tricky because both parties carry some responsibility – a successful attack involves fooling both you and your customer.
Here are a few tactics to minimize the risk of BEC:
Strong Passwords and 2FA: If attackers can’t get into your email account, they can’t send from it. Use a strong, unique password or passphrase and two-factor authentication for your accounts, especially your email and other communication channels.
Communicate: Make your customers aware of the threat and encourage them to verify requests. Explain your company’s security protocols from day one and be clear that you’ll never request payment changes through email–then be sure that you follow this policy.
Secure Messaging: Consider setting up an encrypted email tool or secure payment portal for customers. If customers receive an email outside of this system, they can flag it as a potential attack.
While not overly sophisticated, BEC is a real threat and on the rise. Be mindful that this one can be particularly tricky—not only can you find yourself as the subject of the attack, but also the source.
Your Friends @ Defendify