In our last blog, we discussed the best ways to protect your organisation from email threats. We also mentioned the risk posed by phishing emails. In this blog, we will expand on this further by explaining the problem of business email compromise (BEC) and the best ways to manage such a threat.
What is business email compromise (BEC)?BEC is a type of phishing attack. A cyber criminal pretends to be senior personnel and tries to persuade an employee or other business associate to send funds or sensitive data to the phisher. The operation is much like ‘social engineering fraud’.
BEC does not just impact large organisations – businesses of all sizes and in all sectors can be a victim of this type of phishing attack. It is one of the most rapidly growing, cheapest and highest return cyber threats. Criminals are continuously improving their tactics to exploit their victims, making BEC a substantial concern for organisations across the board. It only takes one successful impersonation for a company to lose millions and ruin its reputation.
How can we combat BEC?
A cyber criminal must first be able to phish an executive to gain access to or imitate their email account. Using a multi-factor authentication approach to confirm a user’s claimed identity won’t make it easy for a cyber criminal to gain access to an email account and inbox and therefore, more difficult to implement a BEC attack.
Clear communications and awareness
One of the main issues with BEC is that a criminal is impersonating an executive. Therefore, if an employee needs permission from an executive to make a transaction and they think they are in genuine communication with that executive, major problems can occur. A clear and robust communications policy must be implemented for all those involved in the organisation to avoid this happening, particularly those in the finance department who are more involved with financial transactions.
A step-by-step approach that can become second nature thorough training is often useful and helps to build awareness. However, avoid a policy that will intimidate employees – it would be counterproductive if staff members are too afraid to raise a concern.
It’s all very well having initial training and implementing a policy, but are the procedures outlined actually being followed? Having refresher training sessions can help staff and management to form discussions around BEC threats that have occurred within the organisation and how they were dealt with. It also allows staff to ask any questions they may have about the procedures and provides an opportunity to reassure them on how best to follow them. Refresher sessions help maintain awareness of the issue of BEC and keeps staff on guard. A rewards policy could also be implemented to benefit staff, which in turn can encourage secure practices in a positive way.
Do you need help with keeping your business safe from cyber threats? Call us on 01792 439087 for more information on how to protect your business.