Don’t be a victim of Business Email Compromise

Systemagic’s Senior Technician Scott is our resident expert on all things e-safety – he holds an EPICT  e-safety qualification, is NSPCC trained and used to run e-safety training for Colleges.  On Safer Internet Day 2018 he gives his top tips for defending against business email compromise threats:

BEC threats are on the rise. At Systemagic we have seen an increase over the last 18 months in targeted emails to our clients. A recent survey found that in the first quarter of 2017 nearly 85% of organisations had received at least one BEC message and the FBI estimate that victims have paid out over $5.3 billion since 2013 and that it’s a continually growing threat.

Unlike most cyber-attacks, BEC threats don’t use system vulnerabilities but are sophisticated scams, targeted at individuals within an organisation. Criminals will use a variety of techniques, often penetrating a company’s network through malware and then monitoring vendors, billing and email communications. They also adopt social engineering techniques such as studying social media, company websites and other legitimate sources to gain information on a company, its suppliers and employees. They then use spoofed email accounts and websites to fool victims into believing requests are authentic often the addresses maybe slightly different such as adding an extra letter in the domain name, so at a quick glance it seems legitimate, often bypassing any filters you may have in place.

Commonly, targeting a company’s finance team and impersonating a contractor, supplier, lawyer, creditor or more commonly a member of senior management and often requesting a transfer of funds to a given account. Other types of attacks can include emailing customers to request a repayment, or data theft where corporate, financial or personal information is obtained.

The following is an edited example received by a client.

To: name@yourdomainname

From: name@yourdomainname (almost may lightly differ such as containing an extra letter)

 Hi

I’m busy today in and out of meetings can you arrange urgent payment for £xxx to a supplier.

Email mail me back and I will send over the details.

Name of Managing Director

In this scenario, the email looked like it came from the Managing Director and was sent to the accounts department, in the hope that they would respond to clarify that they have reached their target and then likely reply with false bank details for a known supplier.

Defending Against BEC threats

Despite BEC threats being reasonably low tech you should still ensure that all the normal precautions used to protect against other cyber threats are in place. These include:

  • Ensure software is patched or replace antiquated software on a regular basis
  • Patching software and systems
  • Consider migrating some software to secure cloud based systems
  • Secure password policy policies
  • Encrypt emails
  • Upgrading firewalls
  • Ensure systems backups are implemented and maintained
  • Implement business continuity and disaster recovery processes
  • Staff network usage policies

But as in most cyber threats the human element is often the weakest link, so you need to consider alternative solutions.

  • Educate and train your employees to develop good security habits.
  • Scrutinise all emails. Make sure addresses are legitimate, question any requests for transfer of funds or potentially sensitive information.
  • Verify payment or information requests from senior management directly.
  • Verify requests from suppliers or customers by phone and always use known numbers and not the details supplied on any email communication.

If you require any assistance with protecting your business against cyber-attacks then please get in touch!

Back to our blog

Are you a looking for IT Support for your business?

Get in touch via our Contact form or call us on 01225 426 800