5 Tips to Thwart Business Email Compromise (BEC) Attacks
Author: Ronnie Tokazowski
For the 7th year in a row, Business Email Compromise (BEC) is the number one cybercrime, as reported by losses, according to the FBI IC3 Report. Topping in at an astonishing $43 billion dollars with victims in 177 countries and money being wired between 140 different countries, it still amazes me that people are more concerned about ransomware and nation-state attacks instead of murderous BEC actors killing in the name of evil spirits.
To add insult to injury, the same actors behind BEC are responsible for $100 billion in SBA fraud and $80 billion in paycheck protection plan (PPP) fraud. This doesn’t even begin to touch the dozens of consumer-based crimes such as check fraud, advanced-fee fraud, or romance scams, with over $223 billion now tied back to the exact same scammers.
And that’s just what we know.
Reflecting on the seven years of tracking BEC, there’s one major lesson that organizations fail to do. It has nothing to do with a shiny box, has nothing to do with buying or selling a service. It’s literally reviewing what you already have.
Here’s your BEC checklist that will mitigate 80% of attacks:
- Review your financial processes and procedures
- Define how wire transfers, gift card purchases, and direct deposit requests work
- Once defined, communicate & follow the process
Most BEC attacks are successful simply because a process breaks down. Someone wired money without checking if they should, a random phone number led to gift cards being sent out, or HR made a one-time exception to update payroll via email instead of pointing employees back to employee portals. The 80% solution to mitigating many types of BEC attacks is simple: review your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.
Here are five tips to get you started on which processes need to be updated:
- Maintain a list of known and trusted phone numbers to verify wire transfer requests.
- Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
- Establish a gift card purchasing process, and if no one needs to purchase gift cards for the company…then no one purchases gift cards.
- Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship. If an account needs to be changed and updated, who is responsible for verifying the new account with an external party? Implement a freeze period to the account update to ensure the bank can verify ownership details.
- What is the process for wiring $10,000 / $50,000 / $100,000+ dollars out of the organization? Define and follow a multi-person process to verify transactions before money gets lost.
While updating processes won’t cover every single BEC use case, a vast majority of attacks can be thwarted with these simple changes. Is it better to take a week to do the boring work of reviewing your processes and procedures or be an unhappy part of the $223 billion dollar statistic?
If you want to learn more about BEC statistics that we observed in 2021, as well as ways to mitigate this attack, sign up for our next webinar focused solely on BEC attacks.