How to Protect Yourself from Business Email Compromise (BEC)

Industry News

Since the outbreak of COVID-19 pandemic in early 2020, many companies have launched home office to protect employees from infection while keeping their operations uninterrupted. The traditional office work model has been completely overturned due to the epidemic. While companies are busy adjusting work procedures to adapt to the new normal, cybercriminals are taking chances to obtain benefits using Business Email Compromise (BEC) and email account compromise (EAC).

 

Business Email Compromise (BEC) is an exploit in which a cybercriminal pretends to be an executive or employee, trying to get a colleague, customer or vendor to transfer funds or sensitive information to the phisher. Often, an attacker will create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account.

 

As for email account compromise (EAC), attackers find different ways, such as password spray, phishing, malware, to compromise your email account, gaining access to legitimate mailboxes. Once attackers gain legitimate access to the target’s email account, they have access to emails and contacts to profile their target. They will maintain continued access to the compromised account by creating email forwarding rules or changing account permissions, so that they can closely monitor the target and conduct email fraud.

 

According to the “2019 Cybercrime Report” released by the Cybercrime Complaint Center (IC3) of the US Federal Bureau of Investigation (FBI) at the beginning of 2020, a total of 23,775 complaints about business email fraud or email accounts were received during the period of 2019. The intrusion caused a total of more than 1.7 billion U.S. dollars in losses, accounting for about half of the total cybercrime losses in 2019.

 

How to Protect Yourself and Your Company

  • Pay attention to the sender’s email address. Examine the email address, URL, and spelling carefully. Cybercriminals may use a look-alike domain name to send out phishing emails.
  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Double confirm with the colleague directly via phone to avoid financial loss and personal data disclosure.
  • Never open an email attachment or click on unknown links from someone you don’t know. Hover the mouse over the email address or weblink to check the domain URL.
  • Use strong passwords and implement two-factor authentication on all accounts whenever possible to minimize the risk of hacking. Multi-factor authentication via a smartphone app is more secure than SMS token messages.
  • Never rush into making payments even though the requestor is pressing you to act quickly. Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. Always question and validate new payments or changes to existing payment arrangements.