Business email compromise, or BEC, is one of the most effective cyber crimes, and it can be very difficult to detect.
Scammers may use a number of tactics, including phishing emails, social engineering or hacking, to trick employees into downloading malware or revealing company or financial information.
Many BEC attempts target accounts payable employees, or decision-makers who have authority to access financial details and approve transactions.
But make no mistake: Every employee must remain vigilant and aware of evolving BEC threats.
In some cases, criminals will first compromise a third-party email account, such as a vendor’s, or the email of an employee who doesn’t handle financial information.
Then they can execute BEC crimes by using the third-party email address to target other employees’ accounts or access company networks.
Also bear in mind that any company, of any size, can be a target.
[Visual: Best practices for every employee]
That’s why every company needs to create and share email best practices with every employee.
These practices are particularly important when it comes to any email that includes account changes payment instructions or sensitive company information.
These are 6 best practices to follow:
[Visual: 1. Always stay alert]
First, always stay alert. Criminals count on human error and lack of oversight to help them pull off many scams.
Even if the sender’s address, request and tone seem normal, don’t assume the email is legitimate.
Take time to verify the sender’s identity through another channel.
[Visual: 2. Establish protocols]
Number two, establish protocols. If you work with vendors, establish protocols with them that govern how you’ll accept and validate changes in payment instructions.
Look carefully at vendor contracts, and make sure these protocols are outlined in them, along with steps you might take to handle non-compliant requests.
[Visual: 3. Validate email requests]
Number three, validate email requests. Don’t respond to emails that contain instructions for changes in payment processes.
Instead, follow established protocols for responding to these types of requests.
[Visual: 4. Create secure processes]
Number four, create secure processes. Employees should be able to slow down payment approvals without undue pressure.
Implement dual approval payment processes, and set up alerts for payments above certain thresholds.
[Visual: 5. Use available tools, such as DMARC]
Number five, use available tools.
Domain-based messaging, authentication, reporting and conformance, or DMARC, is a protocol that helps authenticate the origin of your emails, and helps you track any use of your company’s email domain.
This can help prevent BEC, especially by criminals who try to spoof your company’s identity to trick others.
DMARC can also be utilized on inbound emails to help prevent domain-spoofed emails from reaching your employees.
In addition to DMARC, a tool called Brand Indicators for Messaging Information, or BIMI, can help your email recipients trust that communications from your company are legitimate.
BIMI does this by populating inboxes with a verified, trademarked brand logo.
This can provide your customers and partners with a visual cue that indicates the email has been properly authenticated.
[Visual: 6. Create secure processes]
And finally, number six, create a cyber-aware culture at work.
Encourage all employees to practice cyber hygiene and use all opportunities to reinforce the idea that your company’s security is everyone’s responsibility.