BEC (Business Email Compromise), also known as business email compromise, is the practice of using email to scam businesses for money or goods. Criminals impersonate business representatives using company names, domains, and logos. Or use compromised email accounts and pretend to be your co-workers. Here are the things you need to know and solutions to secure business email against this form of attack.
BEC Attack (Business Email Compromise)
Common scams related to business email compromise include:
-
Bill Fraud : Criminals hack into company email accounts and gain access to real bills. They then edited the contact information, bank details on it and sent it to the customer using the compromised email account. The customer pays the bill thinking they are paying the supplier. But actually, they deposit the money into the criminals’ bank accounts.
-
Employee Impersonation : Hackers compromise work email accounts and impersonate employees via email. They can use this identity to commit fraud in many ways. A commonly used method is to impersonate a powerful person (such as a CEO or CFO) and issue a fake invoice. Another method is to request to change the employee’s bank details. Then, money from fake invoices or workers’ wages will be deposited into the criminals’ bank accounts.
-
Company Impersonation : Scammers register domain names similar to large, well-known, and trusted companies. They then email the supplier and ask for a quote on a number of expensive goods, such as laptops. They will negotiate to receive the goods before payment. The goods are then delivered to a specified location, however, the invoice is sent to the legitimate company, which has never ordered or received the goods.
How to prevent email accounts from being compromised?
1. Beware of scams
Phishing is a form of impersonation of individuals or organizations that you think you know or that you trust. Cybercriminals steal logins using phishing techniques and then use those credentials to send malicious content to your contacts. To secure business email, you need to invest smartly in cybersecurity solutions and prepare yourself to be on high alert.
Phishing is not just limited to email. These scams are also carried out via SMS, instant messaging, and social networks. They pretend to be trusted organizations such as:
- State Police or law enforcement.
- Utility services such as telecommunications, postal services, electricity, and gas companies.
- Banks and other financial institutions.
- Government agencies, such as the Tax Office or some other government service.
Reputable organizations will not call, SMS, or email to verify or update your personal information. And certainly companies like Amazon, PayPal, Google, Apple, and Facebook too. When you receive suspicious information from these companies, there are some simple things you should do to keep yourself safe:
- Spell check the sender’s domain name by comparing it with previous correspondence.
- Use the spam and message scanning features provided by your email, SMS, or social network service providers to filter harmful content.
- Practice critical thinking and vigilance when receiving calls, texts, and emails.
- Use extreme caution when opening messages, attachments, or clicking on links sent from unknown people.
- Do not provide personal information (such as username, PIN, password, or secret/security question and answer) to unverified sources.
Some organizations and companies will have secure pages to identify scams impersonating their brand. If you receive a message that looks suspicious, contact the individual or organization individually to check if they likely sent the message. Note that you should use contact information that you have verified in another way, e.g. get a phone number from the official website of the organization.
2. Use multi-factor authentication and strong passphrases
Use multi-factor authentication so employees can verify their login information when accessing the system and secure business email. Multi-factor authentication is one of the most effective security controls you can implement to prevent unauthorized access to your computer, applications, and online services. Using multiple forms of authentication will make it more difficult to break into your system. Criminals can steal one type of credential, but it’s very difficult to steal a combination of multiple credentials in an account.
Multi-Factor Authentication
To implement multi-factor authentication, a combination can be used:
- Something the user knows (passphrase, PIN, or answer to a secret question)
- Something the actual user is in possession of, such as a smart card, token, or security key.
- Something the user already has, such as a fingerprint or retina pattern.
Finally, encourage employees to use biometrics or strong passphrases to lock their devices - especially mobile devices.
3. Design a secure business process
Businesses should design a clear and consistent business process so that employees can verify and authenticate payment claims and sensitive information. Keep employee contact information confidential, especially in departments likely to be targeted by fraudsters, such as accounting, finance, or human resources.
Make sure workers recognize the following warning signs:
- Unexpected changes in banking information
- Urgent payment requests or warnings of serious consequences if payment is not made.
- Request an unexpected payment from a person with position and authority. Be wary of this person doesn’t normally make such requests.
- The email address doesn’t look right like the domain name doesn’t exactly match the provider’s name.
The company needs to guide employees in verifying account information, think carefully before making unusual requests. At the same time, businesses need a clear process to report threat requests and take immediate action to respond to attacks.
Protect your business reputation against the risk of being impersonated
Develop and use internal network security controls. Criminals can gain access to any email account by compromising a company’s systems. Also, the company might consider registering domain names that look similar to the business’s domain name (for example, replace letters like ‘l’ and ‘o’ in your organization name with digits like ‘1’ and ‘0’). This will help prevent hackers from scamming others by using a domain name similar to yours. You can also check for fake business domains by monitoring the certificate transparency log.
If you’re a domain manager and email server, implement email verification. SPF and DMARC are measures designed to detect phishing emails by specifying which mail servers are allowed to send emails on behalf of an organization’s domain. This will help control the risk of impersonation and ensure business email security.
Business email recovery after BEC attack?
What to do when encountering phishing emails? If you are the victim of a business email hack, follow these steps as soon as possible:
- If you have sent money or bank details to a scammer, contact your bank immediately.
- If any of your email accounts are compromised, change the passwords for other email accounts. Also, notify affected people and protect stakeholders by warning on the website about this scam.
Secure business email with SECU E Cloud
Business email breaches (BEC attacks) are very sophisticatedly done by cybercriminals. It is difficult for email recipients to distinguish which is the real email of the company if they are not vigilant. Even more dangerous is that they can break into the system and use the real email of the business to scam. Attacking BEC not only causes money loss for customers and partners but also adversely affects the reputation of the business. No one will want to cooperate and support a business with low security. So to secure business email, you need to equip a dedicated email system. SECU E Cloud was developed to ensure information security for businesses. The system is designed to increase user vigilance. Any email is evaluated for reliability before reaching the recipient.
SECU E Cloud is a convenient and professional email security solution. In terms of security, the system has 3 layers of protection SpamGUARD, ReceiveGUARD and SendGUARD developed based on AI and Machine Learning technology.
- **SpamGUARD** : keep your inbox clean by filtering spam emails, spam emails. Not only do filtering based on international lists such as Spamhaus, SpamCop, but SpamGUARD also calculates incoming mail scores according to criteria including DKIM, SPF, IP,… In addition, blocking by URL is an outstanding feature. advantage of SpamGUARD when today’s emails often include malicious URLs or hide these URLs under images.-
ReceiveGUARD: This is the most solid protection of SECU E Cloud thanks to the application of AI and ML. Different from other mail applications, VNETWORK’s solution uses Virtual Zone to secure business email. SECU E Cloud’s Virtual Zone helps filter malware and detect fake domains and malicious links. Besides, the company also easily receives and sends mail with blacklist and whitelist settings. Blacklist supports blocking unwanted IP addresses and whitelist allows exchange with some email addresses that are not properly configured. The system also sends a daily report to the administrator and the list of blocked email addresses is updated continuously. Make the assessment of attacks go more smoothly and smoothly.
-
SendGUARD : The characteristic of BEC attacks is to use corporate email to perform phishing. Therefore, protecting outgoing email is equally important in business email security. With the administrator account, the system allows locking the sending function when the computer is invaded by a virus, preventing risks that may harm partners and the reputation of the business. The content approval function helps users control outgoing emails based on subject, content, or attachment name.