According to the FBI,  Business Email Compromise attacks, also known as BEC attacks, are one of the most financially damaging forms of cybercrime. In fact the average wire transfer loss from BEC attacks in the second quarter of 2020 shot up to over $80,000, up from $54,000 in the first quarter. 

BEC attacks are defines as a specialist type of phishing attack during which cyber attackers spoof or already have access to a credible email with the goal of performing a fraudulent transfer. These attacks fundamentally rely on social engineering tactics designed to trick, pressure, or coerce employees into giving hackers access to financial information.

For example, a cyber attacker uses a keylogger to figure out the CEO’s email password. They login as the CEO and send an email to the company’s accountant telling them to make a time-sensitive wire transfer to a fraudulent destination. Because it’s coming from the CEO’s email address, the accountant thinks it is legitimate and makes the transaction, and the company loses x amount of dollars. 

Types of BEC attacks

According to the FBI’s website, cybercriminals typically conduct BEC attacks through 3 methods:

1. Disguising themselves as a legitimate business looking to do a transaction. This is most commonly done by using look-alike domain names that are slight variations of reputable companies. An example would be m1crosoft.com vs. microsoft.com. These slight variations are often difficult to spot, especially if employees aren’t being careful.
2. Using Spearphishing emails to target high-level executives. As discussed in the earlier example, once the hacker gains access to an executive’s email account, they’ll typically impersonate them to request a large transfer or access to financial information.
3. Using malware and other malicious software to infiltrate company networks and access email threads. In newer BEC attacks, hackers link malware files in Dropbox, OneDrive, or Google Drive links since employees are accustomed to receiving shared files in these formats.
   

Best Practices to Avoid Falling Victim to BEC Attacks

Because BEC attacks fundamentally rely on social engineering tactics, the best way to protect against such attacks is to strengthen the last line of defense – the human element, or in this case, employees. As long as businesses are diligent about employee cyber awareness and cybersecurity training, BEC attacks are actually the most straightforward attacks to prevent and don’t require expensive firewalls and IT solutions. Here are some simple and actionable steps business owners can take to protect themselves.

1. Make sure your employees are well trained to identify and report suspicious emails. This can be done through employee cybersecurity awareness training such as the DISA’s phishing awareness interactive training module or with phishing awareness quizzes such as Google’s Interactive Phishing Quiz.
2. Instruct employees to be extra cautious when opening external links. Employees should confirm the authentic URL is used in the electronic communications they receive before clicking the link. If the link is provided as a hyperlink, hover the cursor over the link to display the URL on the screen to confirm authenticity. 
3. Have safeguards in place to make large wire transfers involve verification. Require that any time a wire transfer is requested, it needs to be confirmed over the phone or in person.
4. Implement cloud-based email protection: A best practice for businesses to prevent phishing is to have a cloud-based email protection solution. Such solutions block spurious emails before they reach the inboxes of the intended recipients.
5. If you’re a business owner or CEO, be extra vigilant when it comes to email threats. Studies suggest that executives are more likely than other employees to fall victim to such attacks.
   

The age-old proverb, ‘An ounce of prevention is worth a pound of cure,’ applies well to cybersecurity. The best thing for SMBs to do is to proactively educate their employees on cyber threats rather than starting after a damaging attack has already occurred. This will also help foster a culture of security, which will help protect your business from other forms of attacks as well.