Business email compromise: what it is and how to combat it

In our last blog, we discussed the best ways to protect your organisation from email threats. We also mentioned the risk posed by phishing emails. In this blog, we will expand on this further by explaining the problem of business email compromise (BEC) and the best ways to manage such a threat.

What is business email compromise (BEC)?

BEC is a type of phishing attack. A cyber criminal pretends to be senior personnel and tries to persuade an employee or other business associate to send funds or sensitive data to the phisher. The operation is much like ‘social engineering fraud’.

BEC does not just impact large organisations – businesses of all sizes and in all sectors can be a victim of this type of phishing attack. It is one of the most rapidly growing, cheapest and highest return cyber threats. Criminals are continuously improving their tactics to exploit their victims, making BEC a substantial concern for organisations across the board. It only takes one successful impersonation for a company to lose millions and ruin its reputation.

How can we combat BEC?

Multi-factor authentication

A cyber criminal must first be able to phish an executive to gain access to or imitate their email account. Using a multi-factor authentication approach to confirm a user’s claimed identity won’t make it easy for a cyber criminal to gain access to an email account and inbox and therefore, more difficult to implement a BEC attack.

Clear communications and awareness

One of the main issues with BEC is that a criminal is impersonating an executive. Therefore, if an employee needs permission from an executive to make a transaction and they think they are in genuine communication with that executive, major problems can occur. A clear and robust communications policy must be implemented for all those involved in the organisation to avoid this happening, particularly those in the finance department who are more involved with financial transactions.

A step-by-step approach that can become second nature thorough training is often useful and helps to build awareness. However, avoid a policy that will intimidate employees – it would be counterproductive if staff members are too afraid to raise a concern.

Keep up-to-date

It’s all very well having initial training and implementing a policy, but are the procedures outlined actually being followed? Having refresher training sessions can help staff and management to form discussions around BEC threats that have occurred within the organisation and how they were dealt with. It also allows staff to ask any questions they may have about the procedures and provides an opportunity to reassure them on how best to follow them. Refresher sessions help maintain awareness of the issue of BEC and keeps staff on guard. A rewards policy could also be implemented to benefit staff, which in turn can encourage secure practices in a positive way.

Do you need help with keeping your business safe from cyber threats? Call us on 01792 439087 for more information on how to protect your business.
More SA1 Solutions Posts
The importance of your business’ server
The importance of your business’ server 04 March 2019

The cloud has introduced numerous possibilities for businesses in terms of greater efficiency surrounding data storage, disaster recovery and security.


Read More
5 Reasons why you should consider outsourcing your IT
5 Reasons why you should consider outsourcing your IT 20 May 2018

Having a sufficient IT infrastructure is a fundamental component to any organisation that wants to function efficiently and effectively in this economic market.


Read More
Are staff shortages affecting the UK’s cyber security?
Are staff shortages affecting the UK’s cyber security? 08 September 2017

The UK has recently opened its new National Cyber Security Centre, which is part of a £1.9bn five-year strategy by the UK government to tackle cyber crime.


Read More