What is Business Email Compromise and how to prevent it
What is Business Email Compromise?
Business email compromise (BEC) is a scam that uses targeted email to trick you into transferring money into a fraudulent account.
Social engineering techniques such as phishing, spear phishing and pretexting are often deployed during a BEC attack. Each of these rely on human error by praying on your instinct and emotions.
How does it work?
Cyber criminals research companies and their employees ahead of a scam to help them select the right people to target.
There are a few common types of business email compromise scams that all use a method of impersonation:
- Impersonating the CEO
The hacker crafts an email to an employee working in finance, impersonating the CEO. The email contains an urgent request to make a wire transfer.
Unbeknown to you, the recipient account belongs to the hacker and the funds are being directed into a fraudulent account.
- Impersonating a supplier
In this scenario, a third party supplier is impersonated and an invoice requiring urgent payment is attached to the email.
Fraudulent account details have been provided in the email by the scammer and the funds are paid straight in.
Businesses that have foreign suppliers and do regular wire transfers are often targeted using this method.
- Account compromise
This is where the scammer hacks a member of finance’s email account and takes control of it.
This allows them to go through their contacts and create fake supplier invoice requests with fraudulent account details.
- Theft of data
Employees that work in HR or finance are usually targeted in this scenario.
The email may impersonate an official government office or law firm and request sensitive employee information including tax details, and may be used to engineer future attacks.
Each of these scenarios is easy to rationalise, because:
- The email sender is known to you personally or in an official capacity
- The email address mimics the real one
- You’ve carried out similar requests before
With no obvious reason to distrust the authenticity of the sender or request, it makes it extremely difficult to spot a BEC scam.
What businesses are targeted?
Business email compromise can affect companies big and small but professional services and financial services firms are particularly vulnerable. This is due perhaps to the sensitive data they hold and how routinely they transfer funds.
Companies that have foreign suppliers are also targeted because they are used to making regular wire transfers to them.
How to protect your business
Email is relied on heavily as a communication tool, and business email compromise is a sophisticated weapon that can leave you completely blindsided.
There are some things you can proactively do to reduce your risk of a BEC attack:
- Adopt two-factor authentication (2FA) for logins: This adds a second layer of security rather than relying solely on a login and password to gain access to your computer. This could include a code that’s texted to your phone, an ID card, or even your fingerprint or facial recognition.
- Train your employees about BEC: and what to look out for. For example, wire transfer requests within emails should be verified first, a time delay could be introduced, and large transfers could be double checked by someone else.
- Be suspicious of unknown email addresses and hidden links: Question before opening them, and if in doubt, don’t. You can hover over a link that’s embedded in anchor text and search for the site independently to check it out.
- Use an email authentication tool: such as DMARC which helps to stop fake emails from reaching your inbox. They have to pass an authentication process and if there are inconsistencies detected in the address or content, they’re blocked.
- Take your time: A scammer often makes a request appear urgent to cause panic and error in judgement.
Unfortunately, your employees are the weakest link in BEC, as human error is largely to blame.
However, with the right training and a culture that encourages them to speak out, question, and voice their concerns, they also have the power to prevent an attack.
Have you been PWND?
The term PWND translates as ‘owned’ but it’s used in a variety of different contexts which affects the meaning. For example in online gaming, being PWND means being defeated or beaten by another player.
In the cyber industry, it relates to being the victim of an email account breach. People ask ‘Have I been PWND?’ if they suspect their email may be compromised.
A website haveibeenpwned.com was set up to allow you to check if your email account has been compromised for free.
The site also allows you to look up breached websites and email domains, and set up notifications that alert you if your email account suffers a breach.
Does cyber insurance cover business email compromise?
It isn’t always obvious whether business email compromise is covered on a cyber policy, and it’s often not covered as standard.
Some insurers group it under social engineering, while others may categorise it differently so it’s vital to check the small print or seek clarification. You may find the basic level cover doesn’t include BEC, so you’ll have to have to pay extra for premium level cover.
If BEC is covered and you have to make a claim, your losses will be compensated up to the maximum amount stated on your individual schedule. You’ll be required to assist with any investigations carried out to recover your losses, at your insurer’s expense.
It’s important to check that the maximum cover amount is proportionate to the wire transfers you routinely make, or you could suffer a shortfall even if your claim is successful.
Business email compromise FAQ’s
What is multi-factor authentication?
This is similar to two-factor authentication and includes a minimum of three security checks. These usually include:
- Something your know e.g. a PIN or password
- Something you have e.g. a smart phone or security card
- Something unique to you e.g. a fingerprint, voice recognition or face recognition
The more layers of security you have, the harder it is for hackers to successfully target you.
What does PWND mean?
The term PWND means ‘owned’ and came about from a keyboard mishap. The keys P and O are next to each other on the keyboard and the E has been dropped, hence the typo.
In cyber terms, the expression: Have I been PWND? means Has my email account been breached?
The term is also used in a range of other contexts and has different meanings including being defeated or beaten.
How do I know if my email has been compromised?
Here are some signs your email may be compromised:
- There are emails in your sent folder that you don’t recall sending
- Your login details aren’t recognised
- You’re asked to reset your password unexpectedly
- Some of your contacts get in touch having received a strange email from you
If you are concerned, don’t wait for the signs to appear. You should change your password and you could check this website: haveibeenpwned.com You can do a look up on your email address for free and see if it’s been breached.
Business email compromise isn’t listed on my cyber insurance policy – am I covered?
It depends. It may be included within a wider term for example social engineering as it is closely linked.
If you have checked the policy wording document and are still unsure, check with the insurer. If it isn’t included as standard, they may offer the option to pay a little extra and add it on.
Is there training available on business email compromise?
The Government designed Cyber Essentials training is aimed at employees to help them recognise a number of scams including social engineering and BEC.