Do you know how to protect yourself against business email compromise? Cybersecurity technology won’t protect you – it comes down to what you know.
Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a company to execute fraudulent payments.
In layman’s terms, a cybercriminal will write an email pretending to be from your credit union, and request that a payment be processed – instead of to a legitimate source, the payment will go to them.
A popular form of Business Email Compromise is CEO Fraud. This is a form of Business Email Compromise where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information.
Business Email Compromise can be carried out in several ways:
Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.
How Can You Protect Your Business From Business Email Compromise?
1. Defend Your Organization
Email filtering
Two-factor authentication
Automated password and user ID policy enforcement
Comprehensive access and password management
Whitelist or blacklist external traffic
Patch/update all IT and security systems
Manage access and permission levels for all employees.
Review existing technical controls and take action to plug any gaps.
2. Have Your Personnel Contribute To Cybersecurity
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
Train users on the basics of cyber and email security.
Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
Implement a reporting system for suspected phishing emails.
Continue security training regularly to keep it top of mind.
Frequently phish your users to keep awareness in mind.
3. Keep An Eye Out For Warning Signs
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
Awkward wording and misspellings
Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
Sudden urgency or time-sensitive issues
Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.
4. Test Against Phishing
Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
Continue simulated phishing attacks at least once a month (twice is better).
Once users understand that they will be tested regularly and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
In the end, the key to this type of cybercrime methodology is that it doesn’t rely on digital security vulnerabilities or cutting edge hacking technology; phishing targets the user, who, without the right training, will always be a security risk, regardless of the IT measures set in place.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.
Business Email Compromise Protection In St. Louis
Do you know how to protect yourself against business email compromise? Cybersecurity technology won’t protect you – it comes down to what you know.
Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a company to execute fraudulent payments.
In layman’s terms, a cybercriminal will write an email pretending to be from your credit union, and request that a payment be processed – instead of to a legitimate source, the payment will go to them.
A popular form of Business Email Compromise is CEO Fraud. This is a form of Business Email Compromise where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information.
Business Email Compromise can be carried out in several ways:
How Can You Protect Your Business From Business Email Compromise?
1. Defend Your Organization
2. Have Your Personnel Contribute To Cybersecurity
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
3. Keep An Eye Out For Warning Signs
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
4. Test Against Phishing
In the end, the key to this type of cybercrime methodology is that it doesn’t rely on digital security vulnerabilities or cutting edge hacking technology; phishing targets the user, who, without the right training, will always be a security risk, regardless of the IT measures set in place.