BEC attacks are a serious and growing threat to businesses and individuals who conduct online transactions
What is BEC
Business Email Compromise (BEC) is a form of cybercrime that targets both businesses and individuals who perform online transactions. According to the FBI, BEC scams have caused over $26 billion in losses worldwide between June 2016 and July 2019. BEC attacks are sophisticated and often involve social engineering, phishing, malware, and spoofing techniques to deceive the victims into believing that they are communicating with a trusted business partner, vendor, client, or colleague.
BEC attacks can have serious financial and reputational consequences for the victims, as well as legal and regulatory implications. Therefore, it is crucial for IT professionals to know how to identify, prevent, and respond to a BEC incident in a timely and effective manner. This document provides a comprehensive guide on how to do so, based on the best practices and recommendations from various sources, including the FBI, the US Department of Homeland Security, and the National Cyber Security Centre.
How to Identify a BEC Attack
BEC attacks can take different forms, depending on the hacker's objectives and tactics. However, some common indicators of a BEC attack are:
- The email sender's address or domain name is slightly different from the legitimate one, such as using a letter that looks similar (e.g., rn instead of m) or adding or removing a dot or a hyphen (e.g., john.doe@abc-company.com instead of john.doe@abccompany.com).
- The email contains urgent or unusual requests, such as asking for a wire transfer, a change of payment details, a confirmation of personal or financial information, or an attachment or a link to click on.
- The email uses a generic salutation (e.g., Dear Sir/Madam) or a mismatched signature (e.g., the name does not match the email address or the logo).
- The email contains grammatical, spelling, or formatting errors, or uses a different tone, style, or language than the usual correspondence.
- The email is sent at an odd time or date, or outside the normal business hours or communication patterns.
If you receive an email that exhibits any of these signs, do not reply, click on any links or attachments, or provide any information. Instead, follow the steps below to verify the email's authenticity and report the incident.
How to Respond to a BEC Attack
If you suspect that you or your organization are a victim of a BEC attack, or if you have already fallen for one, you should take the following actions as soon as possible:
- Secure the email account that received the fraudulent email. You should change the password, enable MFA, and check for any unauthorized or suspicious activity or settings.
- Scan the device that accessed the fraudulent email for malware and viruses. You should use reliable and updated antivirus software and firewall, and remove any malicious or unwanted programs or files.
- Trace the source and destination of the fraudulent email. You should examine the email headers, the IP addresses, the domain names, and the links or attachments for any clues or indicators of compromise.
- Contact the bank or financial institution that processed any suspicious transactions that were made or authorized as a result of the BEC attack. You should ask them to freeze or reverse the transactions, and provide them with any evidence or information that can help them investigate the incident.
- Contact the person or organization that the hacker pretended to be and let them know that their email account or identity has been compromised. You should also verify any pending or recent transactions or requests that you have with them.
- Contact the local law enforcement authorities and report the incident. You should also file a complaint with the FBI's Internet Crime Complaint Center (IC3) at https://www.ic3.gov/ or the Federal Trade Commission (FTC) at https://www.ftccomplaintassistant.gov/.
- Collect and preserve any evidence related to the BEC attack, such as the email headers, the email content, the transaction details, and any other relevant information. You should also document the incident and the actions that you have taken in response.
How to Prevent a BEC Attack
The best way to protect yourself and your organization from a BEC attack is to implement a comprehensive and proactive cybersecurity strategy that includes the following measures:
- Educate yourself and your employees on how to recognize and avoid BEC scams. You should also provide regular training and awareness campaigns on the latest trends and threats in cybercrime.
- Use strong and unique passwords for your email accounts and other online platforms. You should also enable multi-factor authentication (MFA) and encryption wherever possible.
- Verify the identity and legitimacy of any email sender or requestor before responding or taking any action. You should use a different channel of communication, such as a phone call or a text message, to confirm the email's authenticity. You should also check the email address and domain name carefully for any discrepancies or anomalies.
- Implement and enforce clear and consistent policies and procedures for handling online transactions and requests, especially those involving sensitive or confidential information or large amounts of money. You should also require approval and verification from multiple authorized parties before executing any such transactions or requests.
- Use reliable and updated antivirus software and firewall on your devices and networks. You should also scan your email attachments and links for malware and viruses before opening or clicking on them.
- Backup your data and systems regularly and store them in a secure location. You should also have a contingency plan and a recovery process in case of a cyberattack or a data breach.
How to Check and Secure a Microsoft 365 Environment
If you or your organization use Microsoft 365 for email and other online services, you should also take some additional steps to check and secure your environment from a BEC attack. Here are some of the steps that you can follow:
- Review the Microsoft 365 Security Dashboard and the Secure Score report to get an overview of your security posture and identify any gaps or issues that need to be addressed. You can access these tools from the Microsoft 365 admin center or the Microsoft 365 security center.
- Review the Microsoft 365 Activity Logs and the Alert Center to monitor and investigate any suspicious or anomalous activity or events in your environment. You can use the advanced search and filter features to narrow down your results and focus on the relevant data. You can also create custom alerts and policies to notify you of any potential threats or incidents.
- Review the Microsoft 365 Mail Flow and the Message Trace tools to track and analyze the flow and status of the email messages in your environment. You can use these tools to verify the sender and recipient information, the delivery and disposition details, and the spam and malware detection results of the email messages.
- Review the Microsoft 365 Security and Compliance Center and the Data Loss Prevention (DLP) policies to protect and manage your sensitive or confidential data and information. You can use these tools to classify, label, and encrypt your data, as well as to prevent unauthorized access, sharing, or transfer of your data.
- Review the Microsoft 365 Identity and Access Management and the Azure Active Directory (AAD) tools to control and monitor the access and permissions of your users and devices to your resources and services. You can use these tools to enable MFA, conditional access, role-based access control, and identity protection for your users and devices.
How to Check and Secure a Google Workspace Environment
If you or your organization use Google Workspace for email and other online services, you should also take some additional steps to check and secure your environment from a BEC attack. Here are some of the steps that you can follow:
- Review the Google Workspace Security Dashboard and the Security Health report to get an overview of your security posture and identify any gaps or issues that need to be addressed. You can access these tools from the Google Workspace admin console or the Google Workspace security center.
- Review the Google Workspace Audit Logs and the Alert Center to monitor and investigate any suspicious or anomalous activity or events in your environment. You can use the advanced search and filter features to narrow down your results and focus on the relevant data. You can also create custom alerts and rules to notify you of any potential threats or incidents.
- Review the Google Workspace Email Log Search and the Email Delivery tools to track and analyze the flow and status of the email messages in your environment. You can use these tools to verify the sender and recipient information, the delivery and disposition details, and the spam and malware detection results of the email messages.
- Review the Google Workspace Data Protection and the Data Loss Prevention (DLP) tools to protect and manage your sensitive or confidential data and information. You can use these tools to classify, label, and encrypt your data, as well as to prevent unauthorized access, sharing, or transfer of your data.
- Review the Google Workspace Identity and Access Management and the Google Cloud Identity tools to control and monitor the access and permissions of your users and devices to your resources and services. You can use these tools to enable MFA, context-aware access, role-based access control, and identity protection for your users and devices.
BEC attacks are a serious and growing threat to businesses and individuals who conduct online transactions. They can cause significant financial and reputational damage, as well as legal and regulatory issues. Therefore, it is essential for IT professionals to know how to identify, respond to, and prevent a BEC incident in a timely and effective manner. By following the guidelines and recommendations in this document, you can enhance your cybersecurity posture and reduce your risk of falling victim to a BEC scam.
Need Help?
support@sendmarc.com is standing by to assist!