Business Email Compromises (BEC) have been on the rise as a key attack vector for a while now. A BEC is when a fraudster is able to gain access to your professional email. This compromise can range from reading your communications to locking you out and using your email to send out unauthorized emails.
What’s the risk? Once they’re able to impersonate you or at least know who you engage with and how, fraudsters can send emails to your contacts to get a wire out, divulge financial information, disrupt operations, and escalate their access to do more harm. Now, how do you prevent a BEC, and how can you prevent such a compromise from getting worse? Here are some ideas:
- Always use stronger passwords. Remember, current guidance has indicated the length of your password is a key deterrent in compromising accounts. Consider using pass-phrases, and avoid using obvious or iterative passwords. Never use the same password for professional and personal use.
- Enable two-factor authentication for your email, if possible. This means changing your security settings to require the use of a second device (i.e., your phone) to confirm that it’s really you logging in. The introduction of a separate device makes the compromise that much harder to execute.
- Ensure your security tools are up to date. This includes your spam filters, anti-virus, anti-malware tools, and operating system updates. But let’s not forget your mobile devices.
- Always be vigilant on how you engage with emails. If it looks suspicious, escalate it to your information security/technology teams for another look. If you appear to be the wrong recipient or receive an email with no context or no content, consider deleting it. Don’t let criminals take advantage of your helpfulness by responding.
Be especially cautious when using your mobile device for reading emails. From Verizon’s 2019 Data Breach Investigations Report, it was noted that although phishing click rates have dropped in their simulations, mobile users appear to be more susceptible to phishing attempts.
- For higher-risk processes you execute via email (e.g. submitting wire requests), build a process where your contacts call you back using the number they have on file to confirm your requests. Remember, this is the final focus of the cyber criminals, so it’s imperative to assess what your higher-risk activities are and what steps you can take to mitigate.
- Follow the same process for incoming email requests for payments, especially when the email includes a change in bank information. Contact the sender using a number you have on file to confirm the request and/or change.
- For any internal requests that are out of the ordinary (i.e. rush requests), contact the sender via phone to verify the authenticity.
As your bank, we’re more than just a bank account. We’re also your partner in success. We’re here to help.