By Jeff Robinson, President and CEO, Tier 3 Technology Solutions

A recent study backed by Apple (https://apple.co/3RKbAAz ) found that there have been more data breaches in the first nine months of 2023 than in any previous year. As cyberattacks continue to skyrocket against organizations of all sizes (small businesses in particular), it is vital that we take these threats seriously and do our part to mitigate them.

One such threat is Business Email Compromise (BEC), a social engineering attack we see often at Tier 3 Technology. BEC attacks are designed to defraud a business by manipulating email communications. There is more than one attack type under the BEC umbrella, each with its own unique fingerprint. It is crucial to understand and implement strategies against the most common types of BEC attacks in order to protect your business from these sophisticated threats.

In this article, we will briefly cover each of the five major BEC attack types and how to protect against them. As you will see, many of these attack types are built on shared principles. But do not let their similarities (or simplicity) fool you: each of these attack vectors is subtly unique and presents its own challenges. Unfortunately, that is why BEC is so effective.

The reason we are talking about BEC today is the same reason threat actors love it: it works, and it is going to continue to work. It might sound corny, but if one or two people read this and decide to reevaluate their readiness for these attacks, that is a step in the right direction for the good guys.

We will begin with Invoice Fraud, a nasty and increasingly common form of BEC typically directed at an individual authorized to process payments and transfer funds. In an Invoice Fraud attack, an attacker can take over or spoof the email account of a contact or vendor and send a fake invoice with false bank account routing information.

There is more than one way for a threat actor to approach Invoice Fraud, including employing other attack vectors on this list, but their end goal is the same: bad actors want you to send large sums of money to fraudulent accounts. Unlike the “Nigerian Prince” scheme, in which a scammer tries to convince you of a once-in-a-lifetime opportunity, the hallmark of Invoice Fraud is that it looks and feels routine. Ordinary. Real. And that is why it works so well. 

To make matters worse, unless these payments are caught and reported immediately to your financial institution, they cannot be stopped. In most Invoice Fraud cases, once the funds are sent, they cannot be recuperated. 

To help mitigate the threat of Invoice Fraud, start with team member education and awareness training. Train your team members to recognize common signs of Invoice Fraud like unfamiliar email addresses, urgent or unusual payment requests, or anything that feels “off.” Foster a “see something, say something” environment.

In many of the cases we see year in and year out, the signs were there, but habit took over. Awareness training was not prioritized, and team members did not feel empowered to hit the “pause” button and raise concerns over a small irregularity or an interaction that did not feel quite right. A simple phone call can prevent a massive loss, and all team members should feel comfortable acting on their instincts and raising concerns. 

A more concrete step you can implement is establishing a two-step verification process for invoice approvals and payments. This can involve requiring multiple individuals to confirm the authenticity of an invoice before any payment is made. Additionally, always verify the legitimacy of new suppliers and/or vendors before conducting any business with them. Use reliable sources to crosscheck their contact information. 

Avoid sharing sensitive information through unsecured communication channels. And finally, be sure to regularly update and monitor systems with the latest security patches, especially your financial systems and software.

After Invoice Fraud, the other four major types of BEC attacks are CEO Fraud, Account Compromise, Vendor Email Compromise, and Attorney Impersonation.

CEO Fraud is a common form of BEC attack that involves impersonating a CEO or other executive. To effectively impersonate an executive, attackers will often conduct research to gather information about the executive’s communication style, relationships, and ongoing projects. In this type of attack, cybercriminals establish authority by pretending to be high-ranking executives within an organization, often ordering unsuspecting team members to transfer funds to fraudulent accounts under the convincing guise of a legitimate directive from a senior executive.

Like Invoice Fraud and other forms of BEC, defending against CEO Fraud (sometimes called executive impersonation) requires team member awareness training. The implementation of email authentication protocols like DMARC is important, too.

In Vendor Email Compromise, cybercriminals target suppliers or partners associated with an organization. By compromising a vendor’s email account, attackers can manipulate communications and exploit relationships to gain unauthorized access or extract sensitive information. To mitigate Vendor Email Compromise, businesses should encourage the use of secure communication channels, conduct regular security audits of vendors’ systems, and establish clear protocols for verifying and authorizing transactions.

An Account Compromise attack is an invasive type of attack that can be used to facilitate other BEC methods. In this type of attack, cybercriminals gain direct access to a team member’s email account. Once inside, they can monitor communications, gather sensitive information, and initiate fraudulent actions. Defending against Account Compromise requires strong password policies, robust security monitoring systems, and regular security training for team members to promote awareness about the importance of safeguarding login credentials. 

Attorney Impersonation attacks involve cybercriminals posing as legal professionals to deceive team members into disclosing confidential information or making unauthorized financial transactions. Protecting against Attorney Impersonation involves enforcing the use of secure channels for legal communication and implementing strict verification procedures for legal requests, including requiring multiple individuals to verify the authenticity of a request.

Protecting your business or organization against BEC attacks requires a proactive and comprehensive approach. By combining technology solutions like email authentication protocols and multifactor authentication with ongoing team member training and awareness programs, businesses can significantly reduce the risk of falling victim to these sophisticated attacks. Regular security audits, clear communication protocols, and collaboration with legal and HR teams further strengthen defenses against BEC attacks. In an ever-evolving threat landscape, staying vigilant and implementing proactive security measures is paramount when it comes to safeguarding your business and its assets.

Additionally, consider consulting with your financial institution and cybersecurity experts like Tier 3 Technology (find us at www.GoTier3.com) to stay better informed on emerging threats and up-to-date prevention methods and tools. By combining these measures, you can significantly reduce the risk of falling victim to Invoice Fraud and other BEC attacks.