Business Email Compromise Scam

As discussed in many of our previous blog posts, one of the biggest problems that organization’s face today is insider threats. No matter how much you may like them, your employees are sources of threat for your business’ security. They may do their very best to keep all of your sensitive data secure, but when you leave things up to humans, mistakes will be made. Whether these mistakes come from gross negligence or simply a very small error, the result is still the same: your organization is exposed to outside threats. One of the most common instances of insider threat come from an employee’s email account. Hundreds of emails are sent out each day by your employees, and many will contain sensitive information. Usually a business will have some form of protection for the data, but what happens when it is emailed outside of the organization? Additionally, what happens if the employee’s email is hacked? If someone gained access to their email, they could likely obtain all of the data it contains. In this article, we will explore the business email compromise (BEC) scam.

In the United States alone, companies lost $1.3 billion last year to the BEC scam. This method has recently skyrocketed in popularity among hackers. It is actually the first hacking method to cause over a billion dollars worth of damages to companies. The method comprises of two steps. First the hacker must take control of a legitimate company email. They can do this through any means necessary, but usually the culprit is phishing or credential stuffing. After gaining access to one employee’s email, they can use spear phishing techniques to compromise more accounts within the organization until they get what they want. This technique is often very hard to detect because it is conducted with legitimate emails and hackers will cover their tracks well. It is not until after the end goal is reached and something big is breached that the company will notice that something is off. Because of its ease of use and profitability, this attack will not slow down in popularity any time soon.

Your organization can take steps to protect itself against the BEC scam starting immediately. First, train your employees to recognize phishing attempts. Even if you’ve already done this, train them again. The benefits of an educated workforce greatly outweigh the cost of less than a day of training. If they are able to preemptively filter out attempts to steal your company’s data, you are already halfway there. The next step is to protect your data as an additional line of defense, just in case your employees can’t stop a phishing attack. If your data is properly secured, then even if an employee’s account is compromised you won’t have to panic. There are many solutions out there to secure your data, but not all are created equal. You need a solution that protects data at all times. If an employee’s email is compromised, the hacker can gain access to all the attachments. However, with SecureCircle, those attachments are unreadable to those without our protection installed on their device. Data is encrypted from the moment that its created and remains encrypted even if the contents are transferred to a new file.