What is BEC and why should you care?

Dubai, Guernsey, Jersey
2nd June 2023
Information Security

So let’s start with the basics. What is BEC?

Business Email Compromise (BEC) is a type of scam in which criminals use email fraud to target victims. The scammer pretends to be a high-level member of your company, usually a CEO or partner, and requests urgent payments or information.

And why should you care?

Well, these kinds of attacks have been on the rise significantly. They increased 29% in 2021, and as many as 98% of employees fail to report the threat, either due to not recognising the scam or feeling embarrassed or scared to admit to their mistake.

An article published by The Guardian last year, revealed that more than £1.3bn was stolen by scammers in 2021 through authorised push payment fraud (APP), of which 40% was BEC scams.

The article reports: “There were 461 CEO fraud cases last year, a jump of 29%, with losses increasing 165% to £12.7m.”

How does BEC work?

BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organisation and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.

Much of this information is freely available online, on sites like LinkedIn, Facebook, and organisations’ websites. Once the attacker has enough information, they can craft a convincing email designed to appear to come from a high-level executive or a business partner.

Consider your own LinkedIn profile, perhaps a scammer could write to you posing as your CEO, congratulating you once more for your promotion, asking how the networking event went last week, or acknowledging your recent certification. They could even imitate your CEO’s tone of voice by visiting their LinkedIn profile.

This initial email could be enough to convince you it’s legitimately them, and once you’ve responded, the scammer could then move on to send a more urgent email, requesting you make a payment or transfer funds. The email will usually emphasise the request being for an urgent and confidential matter, like a new business opportunity, a vendor payment, or a foreign tax payment.

The urgency of the request could impact your judgment and make you feel stressed, so you send the money without questioning the legitimacy of the email.

So how can you avoid BEC in your business?

Educate Employees

We’ve put this one first for a reason. Cyber awareness training is the number one way to protect your organisation from cyber attacks. Your employees are the first-line of defence for your company, so it’s crucial they’re taught how to recognise and report suspicious online activity.

Training should be given to ALL employees at all levels, and should also include email account security, including:

  • Checking your sent folder regularly for any strange messages
  • Using a strong email password with at least 12 characters
  • Changing your email password regularly
  • Storing your email password in a secure manner
  • Notifying the designated IT / security contact if they suspect a phishing email

Enable Email Authentication

Every organisation should have email authentication protocols implemented, including:

  • Domain-based message authentication, reporting, and conformance (DMARC)
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

These sound complicated, but they’re essentially to help verify the authenticity of the sender’s email address and reduce the risk of email spoofing. This will add another layer of security to your email inbox, blocking out a large portion of suspicious emails.

Deploy a Payment Verification Process

Deploying payment verification processes, such as two-factor authentication, will add another layer of security to your payment method. This means that if an employee does fall for a BEC scam, you might be able to prevent the payment from actually going through by having another person involved. Furthermore, the extra stage provides another opportunity for the sender to consider the legitimacy of the request.

Check Financial Transactions

Regularly checking financial transactions and bank statements is crucial for organisations. If the worst happens and money is sent to a fraudster, at least you will be able to identify the error immediately. There have been many cases where businesses haven’t noticed the scam for months, meaning it’s often too late to have any hopes of recovering the lost funds.

Create a Response Plan

Like in any disaster recovery process, a response plan should be established for BEC incidents, including procedures to follow when reporting the incident, freezing the transfer, and notifying law enforcement.

Need help with email security solutions?

It only takes one small lapse of judgment, and a few minutes, for money to leave your account and become unrecoverable. Don’t leave your business emails unprotected. Reach out to our security team for further information and a complimentary cyber audit.

Career opportunities

If you’re looking for your next career move and seeking opportunities offering professional development, rewards and success, then come and talk to us at Resolution IT.

Ready to begin a partnership with us?

Contact Form

"*" indicates required fields

Send us a message

This field is for validation purposes and should be left unchanged.