What You Need to Know About BEC Scams

Am I at risk of BEC scams?

With so many business and personal emails sent each day it is not a surprise that our inboxes are being targeted by scammers. Especially our business inboxes. The rising threat of phishing makes it increasingly important that you protect your business from BEC scams.

BEC stands for Business Email Compromise. It is a form of phishing where the scammer has really done their homework. Rather than sending lots of emails to lots of accounts (which is likely to get picked up by Spam filters), the scammer sends an email to only one or a few recipients. Thanks to the research they undertook, the email content can look pretty convincing. These scams are generally targeted at finance staff, where the sender is impersonating the CEO and asking for an urgent money transfer to be made, for example.

These scams are successful because with little research and time, the scammer can make a lot of money.

With more than 400 businesses targeted by BEC scams each day (Symantec’s 2017 Internet Security Threat Report), you are at risk. We can help. Get in touch to find out how.

How can you protect your business?

1. There are a few things that you can do to start protecting your business from these simple yet effective scams. This biggest thing you can do is educate your employees; especially those handling transfers of money. Warn them of the increased threat from BEC attacks including:

• Carefully scrutinise any email requests for funds transfers.
• Be wary of pressure to act urgently or secretly.
• Verify any vendor location changes or anomalies in customer habits (e.g. amount of payment).

2. Protect your email and online system:

• Only use your corporate email account to send emails.
• Register any domain names that are similar to your own to avoid someone using these to pass of emails that seem real.
• Set up a detection system to flag emails that seem similar to your domain.

3. Check the “digital fingerprint” of your company and any obvious personnel targets. Giving away too much information online is just making it easy for cyber criminals to construct persuasive and authoritative spear-phishing attacks. Where possible, advise “people of interest” within your business to lock down their social network profiles. From a company perspective, consider conducting a review of potentially sensitive information that is in the public domain.

4. Establish and observe internal processes to verify money transfers. For example, where possible, adopt the “four-eye principle“.

We can help

CounterHack can provide a variety of services to ensure you are protected from such attacks. Our agents can create multi-layered attacks and help to identify any staff that may need further training in this area. We want to ensure you are fully protected. After all, being forewarned is forearmed.