Shield Your Business: Ultimate Guide to Thwarting Email Scams

Getting to Grips with Business Email Scams

Business Email Compromise (BEC) scams are a major threat to companies dealing with wire transfers and international suppliers. These scams involve hackers taking over legitimate business email accounts to steal money, often through phishing attacks that trick employees into giving away their login details.

How Do Email Scams Operate?

BEC scams usually start with a hacker breaking into a company’s email account, often in the finance department. The hacker then pretends to be a trusted person or company, tricking employees into transferring money or sensitive data. Here’s a simple breakdown:

Stealing Credentials: Victims unknowingly click on fake phishing email links or open counterfeit invoices.
Fake Websites: These actions lead victims to convincing but malicious websites that look identical to real vendor sites, prompting users to enter their email and password.
Unauthorized Access: Once hackers gain access, they keep an eye on financial emails, intercepting and redirecting wire transactions.

Real-World Examples of Email Scams

The FBI has recorded several cases of BEC scams, including:

A vendor your company regularly deals with sends an invoice with an updated mailing address.
A company CEO asks her assistant to buy gift cards for employee rewards, requesting the serial numbers immediately.
A homebuyer receives wiring instructions for a down payment from his title company.

Protecting Your Business from Email Scams

The FBI and cybersecurity experts recommend setting up an awareness and training program to help your business prepare for and prevent these attacks. Here are some steps you can take:

Review and Document Your Wire Transfer Process (WTP): All changes to wiring instructions must be confirmed outside of email, preferably via a phone call or a trusted communication channel.
Establish Accurate Wiring Instructions: Ensure all parties have the correct wiring instructions on file.
Verify Contact Information: Do not use contact information provided in a potentially fraudulent email. Look up the phone number from a trusted source and call to verify and validate.

Extra Protective Steps

Besides having a solid Wire Transfer Process, consider these additional actions:

Employee Training: Teach employees how to spot and avoid phishing attacks. Use a Learning Management System to equip employees with the skills they need to be more confident, productive, and secure.
Phishing Tests: Regularly test employees with phishing attacks to keep them alert. Provide additional training for those who fall for these tests.
Policies and Procedures: Govern employees with policies such as a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP).
Cybersecurity Technology: Use essential cybersecurity tools including two-factor authentication on all critical accounts, email SPAM filtering, validated backups, DNS protection, antivirus, and anti-malware on all endpoints.
Device Management: In the work-from-home era, ensure you’re managing personal devices connecting to your network by checking their security or prohibiting their use entirely.
Risk Assessment: If you haven’t had a risk assessment by a third party in the last two years, schedule one now. Establishing a risk management framework is crucial.
Cyber-Insurance: Purchase cyber-insurance to protect your business in case of a major security breach.