What is Business Email Compromise (BEC)?

Business email compromise (BEC) is a form of phishing attack specifically targeting someone within the business that is authorised to transfer funds. The cyber criminals aim to fool the target into making a payment, clicking a ‘dodgy’ link, or opening a dangerous attachment using spoof emails.

They are not generic phishing emails. These emails are often made personal and appealing to the specific individual targeted and so are more difficult to detect. BEC attacks are extremely lucrative and relatively simple for cyber criminals to carry out.

What methods are used in a BEC attack?

A BEC attack may come in the form of an email supposedly from your boss asking for a payment to be made urgently in order to secure a business deal.

It may be that a company account is hacked into and a payment request is made from a genuine email address. This is why the email looks totally legitimate.

Another method used is when the cyber criminals hack into and monitor a company inbox watching for a genuine business transaction. When they see this, they step in with the fake email redirecting payment to themselves.

How to protect your business from BEC

A simple change could stop you being subject to attack… Switch on Multi-Factor Authentication (MFA). 80% of businesses that fall victim don’t use multi-factor authentication. MFA is an extra layer of security to stop unauthorised access to your account. Even if the criminals have your username and password, they still won’t be able to access your account without the MFA code which is typically generated by an authentication app or sent as a message to your device. And if you receive an MFA code and you are not signing into your account, you know someone else is trying to… Change your password immediately.

Most people are aware of what Multi-Factor Authentication is nowadays. Sadly, it’s not used to the extent it should be. Some see it as something slowing you down, a nuisance even, rather than an extra layer of security. There is a sense of fatigue across businesses due to the constant bombardment of security messaging. However, a breach of your accounts and loss of money could slow your business down a whole lot more.

Switching on MFA on an organisation scale however requires planning so as not to cause disruption and downtime. Don’t let this put you off. We’ve switched on MFA for many businesses like yours and we’re happy to help with yours. Spend just a few minutes giving us a call or sending a message and we will do the rest. You’ll kick yourself if anything were to happen.

Remember though, MFA is not bullet proof as the cyber criminals are constantly looking for ways around it. Two simple methods that criminals use and we have observed include, telephoning the target victim and asking for the MFA code, or sending an urgent email requesting it! Vigilance is needed at a human level in spotting and being aware of these potential attacks. Never share passwords or authentication codes. In the near future, phishing-resistant multi-factor authentication will be widely available, but it’s not here yet. With training and awareness, we can certainly make it harder for the cyber criminals.

You can read more in our guide: All Businesses Should Adopt MFA. Now!

November 02, 2022 — Paul Stanyer