How To Protect Against Business Email Compromise

Cyber-crime that results in bank transfer fraud, data theft and phishing attacks can be devastating for a business, resulting in reputational damage and significant costs in terms not just of lost funds, but in the time and resources needed to repair the damage. Such attacks are known as business email compromise, and they are becoming worryingly common across the globe.

What is business email compromise?

Business email compromise (BEC) involves an attacker obtaining access to a business email account and then imitating the owner’s identity so as to defraud the company and its employees, associates or customers. Attackers usually create an account with an email address almost identical to one on the corporate network.

Types of business email compromise include bank transfer fraud, spear phishing, malware and data theft.

Bank transfer fraud happens when employees of a company are deceived by fraudsters into transferring money to a bank account which is controlled by scammers. The fraudsters prey on trusted relationships between the individuals who authorise the transfers and those who make them, so that alarm bells are not set off when a bogus request for a transfer is made. Spoof email accounts and websites are often used, with slight, almost undetectable variations on legitimate addresses being used, for example david.baily@company.co.uk versus david.bailey@company.co.uk.

Spear phishing involves bogus emails believed to be from a trusted sender prompting victims to disclose confidential information to the BEC fraudsters.

Malware is used to infiltrate networks to penetrate internal data and systems. This is usually done with the aim of gaining access to internal data and systems so as to get a look at a company’s financial information. This information is then used to avoid raising suspicion amongst financial officers when a false wire transfer is submitted. In addition, malware gives criminals access to the sensitive data of a victim.

Data theft involves the targeting of human resources and bookkeeping employees in order to obtain personal or sensitive information regarding employees or executives which is then used in future attacks.

How to prevent business email compromise?

There are a number of methods companies can employ in order to prevent all forms of business email compromise:

  1. Ensure all email requests from a known party for information disclosure or transfers of funds are confirmed either in person or by telephone.
  2. Educate staff to be on their guard when receiving wire-only transfer requests, especially those with an urgent nature.
  3. Monitor company bank accounts daily for unexpected activity and notify the financial institution in question and the police immediately in the case of anything untoward being uncovered.
  4. Always scrutinise all information included on a wire transfer.
  5. Put company policies and procedures in place regarding wire transfers, banking activity and data disclosure so that there is a company-wide understanding of the issue of business email compromise.
  6. Ensure your IT infrastructure and data security systems are sound, adequate for the size of your organisation, and under regular review.
  7. Introduce multi-factor authentication (MFA) for all transaction requests.

What is multi-factor authentication?

Insurers and underwriters strongly advise the use of MFA which requires at least two pieces of unique data to prove identity, rather than just a single password. Some say that not using MFA is the same as closing the door of your home but not locking it.

MFA is used to verify that a person is who they say they are by requesting at least two pieces of unique data to prove their identity.

The unique data takes three forms:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. a one-time passcode generated by an app or text message for example)
  3. Something you are (e.g. a fingerprint, voice signature, retinal pattern or facial recognition

Should a password be comprised as a result of a phishing attack, it is unlikely that the perpetrator will also have the other piece or pieces of authentication data, therefore reducing the chances of your email account or digital identity being compromised.

Multi-factor authentication can be managed in a variety of ways. Consult your IT advisers for advice on the most suitable methods to suit your organisation.

Remember: Cyber-attacks are not covered on commercial combined or Office Package insurance policies

Cyber-attacks and data breaches are at an all-time high. Ensure your business has adequate cover against all the latest threats. For a recap on how cyber risk insurance works and precisely what it covers, revisit our dedicated post. For tailored advice on the protection your business needs, talk to us today.