• Solutions
    • Managed Services
    • Microsoft 365
    • Microsoft 365 Backup
    • Security Awareness Training
  • Consulting
  • Resources
    • White Papers
  • Blog
  • Contact Us
Ramsey Consulting ServicesRamsey Consulting Services
  • Solutions
    • Managed Services
    • Microsoft 365
    • Microsoft 365 Backup
    • Security Awareness Training
  • Consulting
  • Resources
    • White Papers
  • Blog
  • Contact Us

Business Email Compromise

March 8, 2022 Posted by RCS Content Team Blog

According to Earthweb.com, 333.2 BILLION emails are sent per day in 2022. It is no surprise then that Business Email Compromise (BEC) or Email Account Compromise (EAC) attacks are extremely pervasive – considering all the potential targets. The FBI says that Business Email Compromise is one of the most financially damaging online crimes. Between June 2016 and June 2019 companies reported $26.2 BILLION in losses because of such cybercrime. 

BEC attacks rely on impersonation, social engineering, and an ability to display credible knowledge of the target’s personal or business practices and financial activities. 

Businesswoman concerned about business email compromise

Impersonation – This requires a great deal of intelligence gathering. Perpetrators investigate the intended victim to gather background information and discover points of entry. Attackers can glean much of this information from viewing a company website or Google search of an individual. The perpetrators may pretend to be police, official government agencies, corporate VIP, or an individual’s banking institution or service provider. 

Social engineering – Attackers also need information to guess passwords and answer security questions to gain access to email, websites, and sometimes bank accounts. Unfortunately, despite warnings and education, email users continue to unwittingly reveal such information via social media profiles and posts, text, and app messages. Attackers also rely on human error and play upon the target’s emotions and fears. 

Examples of impersonation techniques include domain spoofing and lookalike domains. In these scenarios, attackers slightly modify the address linked to email and website accounts to gain access to systems or request actions by the target. 

Social engineering often goes together with phishing. The attacker investigates the target using relatively low-effort methods: Google, corporate website, and social media. Then, the attacker often plays on the target’s emotions and fears (i.e., losing access to an account, losing a service like electricity, or even losing a job.) 

BEC attacks are difficult to detect. Typically, the attacker poses as someone the target should trust – colleague, boss, or vendor – then requests that the target make a wire transfer, divert payroll, or change banking details for future payments. 

Since BEC frauds are so targeted and use social engineering, manually investigating and remediating these attacks can be difficult and time-consuming. So, what can you and your employees do?

Be aware

There are several signs of a BEC attack:

  1. Heightened emotions – an attacker may threaten the loss of an account or access to services, include an executive’s request to send funds to a vendor or another account (people fear losing a job for not following instructions) 
  2. Spoofed sender email address – attackers modify email addresses slightly to ensure recipient does not notice the inaccuracy. Proper email security protocols can stop many of these attacks. 
  3. Lookalike website links – attackers use domain spoofing and lookalike domains to redirect target to malicious websites to capture credentials or install malware. 
  4. Too good to be true – if it sounds too good to be true, it probably is. Nothing is free (even a cell phone) and the likelihood of someone giving you millions of dollars for nothing is miniscule. 
  5. Refusal to respond to questions – if you are suspicious of a request, reply to request asking sender to identify themselves. Chances are they won’t. 

There are several best practices that can help defend against BEC attacks:

  • Never click on links or download files in an email that you are suspicious of.   
  • Researching a sender or request before responding. 
  • Be aware of data being released – whether social media or email, employees should be wary of disclosing sensitive information that could be useful to an attacker. 
  • Know what Personal Identifiable Information is and keep it confidential. (This is date of birth, social security numbers, bank information, etc.) 
  • Institute policies to educate employees – keep employees aware of new threats with regular education or training and teach them how to report ongoing potential attacks. 
  • Keep your anti-malware and email protection solutions up to date.
  • Always be suspicious of requests for data

Ramsey Consulting Services specializes in mitigating cybersecurity risks to your company’s most precious assets. Contact us today to help your organization defend against BEC and other cybersecurity threats. 

In the next installment, we will discuss a very timely attack that could happen to your company and employees this time of year – Payroll Diversion. Stay tuned! 

 

Share this:

Tags: business email compromisecybersecurityemail account compromiseemail security

You also might be interested in

new ransomware 2021

Babuk: New Year, New Ransomware

Jan 7, 2021

A New Year brings in new things, and one of[...]

What is security awareness training?

What is security awareness training?

Dec 22, 2021

As an employer, you already know that employees can be[...]

The healthcare industry is the 6th most targeted by BEC attacks

Business Email Compromise: A Pandemic Amidst the Healthcare Industry

Mar 29, 2022

Business Email Compromise (BEC) is the most financially damaging of[...]

COMPANY

Contact Us
Privacy Policy
Manage Cookies

RESOURCES

White Papers

SIGN UP FOR OUR NEWSLETTER

loader

By clicking Submit, I agree to the use of my personal data in accordance with the Ramsey Consulting Services Privacy Policy. Ramsey Consulting Services will not sell, trade, lease, or rent your personal data to third parties.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

©2024 Ramsey Consulting Services, All rights reserved.

Prev Next
This site uses cookies or similar technologies, as explained in our Privacy Policy. By continuing to browse or by clicking 'Accept', you consent to the use of these technologies. You can change which cookies are set at any time by clicking 'Cookie preferences', or the Manage Cookies link at the bottom of any page.
Cookie preferencesACCEPT AND CLOSE
Manage Cookies

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Analytic Cookies
Analytic cookies help us understand how our visitors interact with the website. It helps us understand the number of visitors, where the visitors are coming from, and the pages they navigate. The cookies collect this data and are reported anonymously.
SAVE & ACCEPT