Basic BEC Defense Strategy for Small Businesses

Blog

A basic BEC defense startegy is a beginner friendly guide for small business suffering from email compromise and fraud.

by Ahona Rudra

Reading Time: 5 min
Basic BEC Defense Strategy for Small Businesses
Table Of Contents

The digital landscape is evolving at an uncompromised pace, which is also giving hackers more opportunities to commit cyberattacks like basic BEC scams. They attempt BEC attacks by masquerading as officials and sending fake emails on their behalf. Most emails request making financial transactions to hackers’ accounts which the recipients are unaware of. 

The blog explores more on BEC scams, their stages, and defense strategies for small businesses, so keep reading!

Key Takeaways

  1. Business Email Compromise (BEC) scams involve attackers impersonating company officials to manipulate recipients into making unauthorized financial transactions.
  2. Minor alterations in email addresses and domain names, such as typos, can make it difficult for recipients to identify phishing attempts.
  3. A well-defined payment approval process can minimize the risk of successful BEC attacks by requiring multiple levels of authorization.
  4. Implementing Multi-Factor Authentication (MFA) can significantly enhance email security and reduce the likelihood of unauthorized access.
  5. Employees should be encouraged to report suspicious emails and requests, emphasizing the importance of verification before acting on urgent demands.

What are BEC Scams, and Why are they Dangerous?

BEC is short for Business Email Compromise, a type of email phishing attack where attackers impersonate company officials to manipulate recipients (usually finance department employees) into making a financial transaction. 

They use domain spoofing, lookalike domain, and typosquatting techniques to make emails look like they are coming from legitimate sources. They make minor spelling alterations that go undetected if not observed carefully by recipients. Some examples of the same are: www.amaz0n.com instead of www.amazon.com, www.tvvitter.com instead of www.twitter.com, etc.

Basic BEC attacks are dangerous as it’s quite challenging to detect them since they are mostly attempted using a company’s email address. It isn’t easy to trace back embedded links to questionable URLs to hackers.

Simplify Security with PowerDMARC!

Start 15-day trial Book a demo

Stages of a Typical BEC Scam

Threat actors are getting sophisticated with their techniques and approaches toward cybercrimes. This has made it evidently more challenging to spot loopholes. They plan BEC attacks in more or less the 4 following phases to go undetected. 

PHASE 1- Email List Targeting

Malicious actors scout LinkedIn profiles, business email databases, and other websites to draft a consolidated list of individuals or companies they want to target.

PHASE 2- Launch Attack

In the following phase, they send emails with spoofed or look-alike domains and fake email names.

PHASE 3- Social Engineering

Attackers masquerade as trusted officials to request urgent responses or actions like money transfers or ask to share confidential files.

PHASE 4- Financial Gains

This is the final stage of a basic BEC attack where financial gain or data breach is successful. 

8 Basic BEC Defense Strategy for Small Businesses

Here are 8 defense strategies to prevent basic BEC scams.

1. Develop Protocols for Payment Approvals

Overhaul your company’s payment approving process and devise a fixed path. This will help minimize the chances of a successful basic BEC attack attempted by manipulating a single authorized finance team employee. 

You can include requiring a senior employee to validate and approve all wire transfers. Moreover, you should mandate employees to confirm money transfers through telephonic or in-person communication. 

2. Ensure Your Devices and Web Email Clients Run the Same Version

Unsynchronized desktop and web versions let threat actors place rules that aren’t exposed in the desktop clients. This creates problems in tracing the manner of attack and other things.

3. Double-Check Email Addresses

The easiest way to prevent basic BEC attacks is by carefully noticing email addresses for  slight spelling alterations and changes. Hackers also use font tricks by fooling people with similar-looking letters like ‘i’ and ‘1’ or ‘o’ and ‘0’. These minor changes easily go unnoticed if you don’t double-check before hitting the send button.

Also, check whether the ‘reply’ and ‘from’ addresses are the same. Flag email communications where both these addresses don’t match. 

4. Enable MFA

MFA or Multi-Factor Authentication is a verification component that adds additional layers of security above the standard username and password method. The likelihood of basic BEC attacks decreases with methods like OTPs sent on your phones, answers to personal questions, biometrics, behavioral analysis, etc. 

Lately, the MFA method has integrated machine learning and artificial intelligence that enables location-based and risk-based authentication techniques. In location-based MFA, users’ IP addresses and/or geo-locations act as security factors. Risk-based authentication considers context and behavior for authentication. Common examples are:

  • Logging in outside of work hours.
  • Accessing from a different location.
  • Sign in from a new and unidentified device.   
  • Connecting via an unsecured network.

5. Prohibit Automatic Forwarding of Emails to External Addresses

If automatic forwarding of emails is enabled, hackers can inject themselves into conversations to commit financial fraud. According to the FBI’s 2019 Internet Crime Report, such perpetrated basic BEC crimes caused an accumulated loss of $1.7 billion in losses.

Auto forwarding also gives them the opportunity to access and exploit your email accounts for a long time while also posing a risk of potential disclosure of sensitive and confidential information.

6. Use Email Authentication Protocols

SPF, DKIM, DMARC, and BIMI are authentication protocols ensure email security by permitting only trusted entities to send emails using your domain. SPF requires you to create and publish an extensive list of IP addresses and servers you trust to send emails on your behalf. Emails from IP addresses and servers outside of the list fail SPF authentication checks.

DKIM uses a pair of public and private cryptographic keys to verify the sender’s authenticity. DMARC directs recipients’ mailboxes on how to treat emails failing SPF and/or DKIM authentication checks. BIMI allows email inboxes to show your company’s official logo next to authenticated emails as a mark of visual identification. 

You can investigate your email authentication compliances using our email header analyzer. It evaluates the protocols through an empty test mail sent to an auto-generated email address.  

7. Encourage Employees to Flag Suspicious Payment Requests

You should train your employees to read the signs of basic BEC scams and encourage them to seek clarification on emails creating a sense of urgency with words like ‘ASAP,’ ‘within 5 minutes’, etc. In this case, it’s better to go a little old-school and get confirmation by meeting the person physically or through a phone call. 

8. Report Fraud to Authorities

Report BEC scams and other frauds to the concerned authorities immediately after you detect a red flag. Even if remediation isn’t possible in your situation, the authorities can dig deep and gain insights from multiple reports. 

As a small business owner, you can take baby steps towards BEC scam protection by investing in email authentication services and conducting awareness sessions for your team. You can contact us to help with email authentication implementation, management and monitoring for their non-erroneous and uncompromised deployment. 

Latest posts by Ahona Rudra (see all)
Why Should We Not DIY DMARC?Why Should We Not DIY DMARCchannel-next-and-powerdmarcSecuring Customer Domains: Channel Next’s MSP Success Story with Powe...