One Compromise Not to Make 

Picture this: You’re the finance manager at a fifty-person manufacturing firm. Your best customer’s account is overdue – unusual, as they typically pay in full. Your customer, however, insists they’ve already paid and presents proof from the bank. So why didn’t you receive the payment?

Business Email Compromise (BEC) has cost businesses over $12.5 billion since 2013,  and it’s a trend on the rise with a 136% increase in losses from 2016 to 2018.

Organizations with customers paying large and/or ongoing invoices are key targets. A few examples include construction companies, professional services firms, and security systems integrators. Ultimately, BEC can affect all businesses in some form. The key to stopping it is to know what you’re looking for.

E-mail or E-fail?

While tactics vary, a typical BEC attack has three parts:

  1. The Key: Attackers collect stolen email addresses and passwords from data breaches, often found on the Dark Web. With more than 80% of people known to reuse passwords, the attacker just needs to find one working set of compromised credentials to get in the door.
  2. The Break-In: The attacker infiltrates a key employee’s email account – typically someone in finance. They monitor emails, looking for an opportunity to strike and learning details (such as project specifics, contacts, and even nicknames and conversation style), so they can sound convincing.
  3. The Attack: The attacker impersonates the employee, using their actual email account, alerting customers to a phony “change in payment instructions” and directing your customer’s payments to their accounts. The attacker redirects replies to themselves and deletes all settings and sent emails to avoid detection.

To make matters worse, you likely won’t know until it’s too late and your customers have paid the attacker. By the time the payment has gone past due and you hear from customers that they “already paid,” the attackers will be long gone.

Don’t Compromise Your Relationships

From a business standpoint, BEC can be tricky because both parties carry some responsibility – a successful attack involves fooling both you and your customer.

Here are a few tactics to minimize the risk of BEC:

  1. Strong Passwords and 2FA: If attackers can’t get into your email account, they can’t send from it. Use a strong, unique password or passphrase and two-factor authentication for your accounts, especially your email and other communication channels.
  2. Communicate: Make your customers aware of the threat and encourage them to verify requests. Explain your company’s security protocols from day one and be clear that you’ll never request payment changes through email–then be sure that you follow this policy.
  3. Secure Messaging: Consider setting up an encrypted email tool or secure payment portal for customers. If customers receive an email outside of this system, they can flag it as a potential attack.

While not overly sophisticated, BEC is a real threat and on the rise. Be mindful that this one can be particularly tricky—not only can you find yourself as the subject of the attack, but also the source.

Stay Safe,

Your Friends @ Defendify

Resources & insights

Why You Could Be Denied Cyberattack Insurance Coverage
Why You Could Be Denied Cyberattack Insurance Coverage
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage and cybersecurity insurance requirements is sure to enter the discussion.
Cost of a Cyberattack vs. Cybersecurity Investment
Cost of a Cyberattack vs. Cybersecurity Investment 
Detailing the cost of a cyberattack versus the ROI of a cybersecurity investment enables leadership to see cybersecurity solutions are worth it.
Defendify Listed as a High Performer in Six G2 Grid Categories
Defendify Listed as a High Performer in Six G2 Grid Categories
The Defendify Cybersecurity Platform has been listed as a High Performer in six Summer 2022 Data Security Software Category Reports on the technology review site G2.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.