What is Business Email Compromise?

This article was provided by Lisa Gibbs, Director at Philip Gibbs Insurance Brokers and leader of the Business Digital Resilience programme.

Business email compromise (BEC) is a form of phishing that occurs when a cyber-criminal impersonates a legitimate source to trick employees into transferring money, sharing sensitive information or engaging in other compromising activities. Typically, the cyber-criminals behind BEC attacks will send legitimate-looking emails requesting payments for business purposes. In such instances, cyber-criminals may pretend to be senior-level employees, suppliers, vendors, business partners or other organisations.

Unlike more traditional phishing attacks that target large groups of individuals, BEC attacks are crafted to appeal to specific individuals—making them harder to detect and potentially more damaging. BEC is a threat that all businesses, regardless of size or industry, should take seriously.

Common BEC Attacks

False invoice schemes – Cyber-criminals pretend to be business suppliers and request fund transfers to complete invoices.

CEO fraud – Criminals pose as high-level executives to request money transfers.

Account compromise – Cyber-criminals hack into executive or employee accounts to request invoice payments directly from vendors.

Solicitor impersonation – Hackers impersonate corporate solicitors or law firms to request immediate fund transfers.

Data theft – Criminals pose as HR professionals or employees in other functional roles to obtain personally identifiable information or tax statements from other employees or executives.

 

Signs of a BEC Attack

Differentiating between legitimate business requests and BEC attacks can be difficult. Here are some signs that an email is a BEC attack:

  • Generic terms or lack of personalisation
  • Variations to email addresses or company websites
  • Unfamiliar names or images
  • A sense of urgency or threatening language
  • Requests to send personal or financial information

 

Protecting Against BEC Attacks

BEC attacks can result in severe financial and reputational harm. Consider implementing the following cyber-security practices to help limit the likelihood of such attacks within your organisation.

Educate employees. Teach your employees to be wary of emails making requests, never click suspicious links and report any suspected BEC attacks to IT.

Implement effective payment protocols. Ensure employees in charge of financial operations analyse invoices for validity and discuss them in person whenever possible.

Restrict access to sensitive data. Only provide access to sensitive data to trusted and experienced employees who require this information to conduct their work tasks.

Utilise security features. Ensure all organisational devices possess adequate security features, such as antivirus software, malware prevention programs, email spam filters, data encryption capabilities and a firewall.

Have a plan. Ensure your organisation has an effective cyber-incident response plan that specifically addresses response protocols and mitigation measures for BEC attacks.

 

For more cyber-security and insurance guidance, contact us today.

This infographic is not intended to be exhaustive nor should any discussion or opinions be construed as insurance or legal advice.
© 2022 Zywave, Inc. All rights reserved.