Protect yourself from Business Email Compromise:
Protect yourself from a scam on the rise, BEC or Business Email Compromise is the cyber fraud of the internet age, a highly effective, cheaply orchestrated scam that is costing businesses billions. For those now versed in the basics of a BEC scam, we have some guidelines to help your business and employees avoid this fraud.
For those unacquainted with this rapidly growing fraud, we have written an introductory article previously.
The Email: Three red flags to watch out for.
Initial BEC emails are typically from prominent freeweb mail servers, notably not commonly used for business interaction. If an Email is sent from Gmail, Yahoo or Hotmail and not a business domain, this is an instant, obvious red flag. Familiarize yourself with the domain names, sender addresses and the marketing elements that make up your partners, suppliers or your own companies emails. These are often hard to replicate and give subtle tell-tale signs that there may be a scammer in your midst.
Typosquatting: An email domain similar to the authentic one, but not identical – this is a strategy used in other cyber-attacks like’s Spear Phishing, often with the scammers masquerading as banks. 60% of BEC frauds are initiated by spoofed domains and can be both exceptionally lucrative and deceptive.
Emails that do not contain URLs, phone numbers or attachments in the signatures. Most companies have marketing elements that are hallmarks of all their correspondence. If some, or all of these elements are missing, one should be extra diligent.
The Style: Unfamiliar phrasing, typos, and unusual time pressures.
Payment terms should continue to be in line with your current, regular suppliers usually 30 – 60 – 90 days. Suppliers and partners are frequently mimicked in BEC scams, any sense of unusual or excessive pressure deserves a second look and possibly a phone call.
Be wary of turns of phrase that sound foreign or unusual for your sender to use. For instance, specific requests not to call, or the request to “make an exception for this “‘one transaction’” – should be noted as suspicious. Typos and grammar are also telltale signs that someone who is not who they are claiming to be, especially in corporate and business email.
The Timing: No such thing as coincidence
Do these emails coincide coincidentally with Executive’s travel dates? If they do it is possible your emails are being monitored, or you are giving away sensitive information on social media and other platforms. Information like this can be used by scammers to mimic third parties more effectively.
Who are the Targets?
Business and employees that use open-source email:
As a business, we’d recommended staying clear of open source emails, business emails are inexpensive to register and maintain. For security reasons, it is beneficial for every employee to have their own dedicated company email for internal and external company communication. Personal accounts shouldn’t be used for confidential or sensitive information as they are easier to hack and outside the security network of companies.
Employees who handle money:
The personnel who are the key targets for BEC are accounting staff or employees who handle wire transfers specifically with foreign suppliers and partners. Payment processes are vulnerable because of increased electronic payment processing. This can be counteracted by live two-step authentication to verify all significant transactions.
BYOD Policy:
Bring your own device workplaces, may increase the efficiency of interactions, but they bring with them a security risk. If employees are using their devices for their own personal use as well as for work they could be bringing in malware and viruses into your office. These types of infections can be used to monitor your emails and begin BEC strategies on your business. If you would like to protect devices outside of your network, you can implement antivirus and blacklist software on them with an RMM solution.
Further tips:
Employee education: we can’t emphasize enough how important educating your employees on cutting-edge fraud techniques is. This is reiterated on most cybersecurity risks, employees are your first and most critical line of defense, they are also the most susceptible to deception. Empower them to make better security choices. The best type of training is brief, frequent and actionable. Fraudsters are always evolving and so should your defense.
Review your protocol: The implementation of a simple two-step process involving a phone call to the supplier, partner or employee will help stop 99% of BEC frauds. Add extra controls if needed and authorized emergency procedures need to be understood company-wide.
Review and refine: Test your employees with risk simulations. Test all your controls and protocol and encourage employee recommendations on how to make your phishing reporting systems better.
Written by Sean Allan, Digital Marketing Manager, Aware Corporation
Digital Marketing Manager at Aware Group: Working his way through the world of technology and Thailand as best as he can. Happy to contribute to other tech publications.