Here is your tip of the day in honor of National Cybersecurity Awareness Month. Tip #7: Guard against business email compromise.
Cybercriminals are getting faster and more sophisticated in their attempts to steal your company’s money or data.
They’re using email-based schemes with highly targeted emails to convince internal employees who have the ability to access company funds to make payments or divulge other sensitive information. These have been labeled business email compromise (BEC) attempts.
These differ from the “standard” phishing attack in that the fraudster is typically targeting one person rather than blanketing an organization with a generic email.
Steps you can take
The single most effective way to prevent BEC is to verify instructions for payment information changes, wires and requests for very sensitive information by a means other than email. Picking up the phone and verifying instructions with the requestor can all but eliminate the risk of BEC.
You can also educate your team on the common types of BEC attacks to prevent them before they happen:
Vendor payment change: The accounts payable department receives an email or letter from a vendor providing new ACH payment instructions. Your company doesn’t find out it has been duped until your vendor starts making collection calls and informs you that they were not the one who sent the payment change request.
Wire transfer: The CEO is out of town. The CFO receives an email that appears to be from the CEO, requesting they send a wire transfer to a new vendor. The message provides the payment instructions and emphasizes that the payment must be made immediately. Because the CEO is out of town, they cannot take a call. The payment is made, and the fraud isn’t discovered until the CEO reviews the banking statement and asks about the large transfer.
W-2 data request: The payroll department receives an email from an executive asking for the W-2 report for all employees. The report goes out to the fraudster impersonating the executive. The scam isn’t discovered until weeks or months later, when employees find out that fraudulent tax returns have been filed on their behalf.
BEC also happens when a cybercriminal gains unauthorized access to an email account to steal information or launch a fraudulent request for funds. The top ways to prevent that is to protect your passwords with multifactor authentication, use strong passwords, update passwords and not use the same password for multiple accounts.