Business email compromise (BEC), an international fraud scheme, is seemingly forever on the rise and no company is safe from attack. It’s therefore essential that your organization has good methods and practices in place to prevent a breach. But how do you do it, especially with large employee pools and multiple locations around the world? In this article, we’ll examine BEC prevention strategies that work for all types and sizes of organizations.
What Is Business Email Compromise?
BEC is essentially a deception by a rogue agent or entity that works to convince an employee that they too are a member of the organization (usually a CEO or supervisor). They may send an email or use another form of communication to make a request, often a wire transfer. Sometimes they’ll ask for company documents like W-2 forms; other times they’ll pose as a third-party vendor requesting a payment. In manners such as these, thieves have stolen upwards of $5 billion from businesses all over the world.
The recipient of the communication, believing it to be legitimate, complies. The results can be devastating: monetary losses, data breaches, reputation damage and more. These ruses are often so clever they bypass normal spam filters: the sender’s listed domain could look legitimate, the message contain no trigger words and have no malware attachments or telltale grammatical errors. Often times, they target specific employees within organizations and use details that make their schemes more convincing. That’s why the human error factor is even higher with BEC.
Implementing BEC Prevention Strategies at Your Organization
Here are a few practical tips to help you prevent BEC attacks:
- Develop BEC policy. Written documentation of best practices and procedures to follow with email, social media, passwords and more should be created. It should be widely distributed, not only via email but with visual signage as well. If possible, an all-company meeting should be called to address the issue. Two of the most basic tenets should be an easily understood chain of command and mandatory verification of suspicious requests via telephone communication.
- Do an assessment of IT security. Some companies may find it desirable to hire a outside service or consultant, but the goal is the same: find vulnerabilities, particularly in email communication. Studies have shown that two-thirds of BEC scams start with a spoofed email (i.e., changing @yourcompany.com to @your-company.com). Make sure your email software has advanced filters and flags such as DMARC domain spoofing protection. Secure all network access points and limit permissions as necessary.
- Add an educational requirement for all staff. A good security awareness program will cover the basics of phishing and BEC, as well as have a series of assessments and tests to make sure the information is understood. The whole program should be automated and monitored remotely with results available to the administrator.
- Conduct real-world drills. This should include not only overt “fire drill” types of exercises, where you simulate a breach and make sure everyone follows the correct procedures, but covert drills as well. These can be delivered by a phishing simulation program, which sends emails to unsuspecting users that are typical of of a BEC scam, for example a wire transfer request. If the user doesn’t follow policy and clicks on a link without a second form of authentication, the admin will be notified.
Using Security Awareness Training to Combat BEC
To help with your implementation, InfoSec Institute created SecurityIQ, a security awareness training program designed to educate and reinforce training on BEC and phishing-related scams. It features two key components: AwareEd™ and PhishSim™. AwareED is the education component of the platform. It has a series of assessments and courses that cover all aspects of security, including BEC attacks, phishing, malware, mobile device security and more.
AwareEd also lets you create and distribute mandatory security policies through the platform, which employees can be required to sign off on before starting any courses. This ensures they both know about and agree to company requirements.
Using PhishSim, you can send phishing simulation emails, including those that mimic BEC scams. You can use any of the 800+ templates in the program, or create your own.
Once you’ve selected the emails, you can create a training campaign. PhishSim will automatically send the emails over the specified campaign period. If any user attempts to comply with a request, such as sending a W-2, you will be automatically notified.
Additionally, PhishSim recently introduced PhishNotify Defender™, an email plugin that adds a further layer of defense. Any users that fail simulations can have their email permissions dynamically modified so that they cannot click on any further links; PhishNotify also works as a tool for other employees to flag any incoming suspicious emails for quarantine.
You can try SecurityIQ for free. Click here to learn more. Start integrating BEC prevention strategies with SecurityIQ today!