BEC attacks – heard of them?
One of the most prominent cybersecurity threats to SME business today is BEC attacks.
Business Email Compromise (BEC) attacks are a successful method for bad actors to trick end users into exposing sensitive assets and other information. As is the case with many other tactics employed by hackers, BEC attacks heavily focus on individual end users.
How do you protect yourself against them?
As the name “Business Email Compromise” hints, BEC happens when an attacker hijacks an email account and attempts to impersonate someone in the business. By creating calls-to-action and sending from within the victim’s legitimate email address, these attacks have been known to trick email recipients into sending personal information or money.
Once an email account is compromised, attackers can cause a significant amount of damage and business disruption. If you fall victim to BEC, you’re going to feel the pain first — and the most — but that pain can also end up being felt by your clients and vendors. So, what can you do?
• Enforce secure password rules and make sure employees aren’t repeating the same passwords for multiple sites or applications. No employee is exempt from this rule; Last year, Facebook CEO Mark Zuckerberg had his Twitter and Pinterest accounts hacked after criminals obtained his LinkedIn password.
• Use multi-factor authentication and encryption to make it harder to compromise email accounts. After entering a password, the user will be prompted to verify themselves again by taking another action, such as entering a code that is emailed or texted to them.
• Train users to recognize potential phishing scams that can lead to ATO/BEC attacks, or that may be part of a BEC attack. They should be suspicious of short or generic messages from other employees, and double-check links and downloads. They should also never send sensitive information via email. Training should include phishing simulations, as well.
• Set up procedures for payments and wire transfers that require in-person conversations, phone calls, and other non-digital confirmation strategies.
It’s tough to spot a BEC attack — especially if it is coming from a legitimate account. To most effectively protect your business from today’s threats, you need to continually educate staff on security best practices, in addition to putting technical safeguards in place, particularly technologies that will block known threats before they even reach your network.
Hope this helps. If you need help with setting protection in place – please contact us.