Business Email Compromise (BEC) is a growing problem that every organization needs to protect against. According to the FBI’s Internet Crime Complaint Center (IC3), business email compromise (BEC) attacks cost businesses an estimated $2.9 billion in 2023. In Massachusetts, there were $65,960,320 total losses in 2023 with an average loss per victim of $131,657.33.
BEC as the name implies, happens when a threat actor gains access to an email account. Once inside, hackers have a variety of techniques they use to exploit their victims. Some simply send a high volume of invoices to clients hoping some will pay. More sophisticated threat actors will monitor an email account for large transactions and then send a request to redirect payment to their own account. Threat actors will often create rules to forward correspondence from particular parties to the deleted items folder or another folder where the messages will not be noticed by the mailbox owner. They later check these messages and correspond with clients to redirect payments.
How does BEC happen?
In order to gain access, a threat actor must obtain a user’s password. Because many people use the same password for several sites, threat actors can buy credentials from a previous breach and then use those same credentials on numerous servers until they gain access. A threat actor can also use phishing to trick users into providing their username and password. An alarming trend we see is that up to ten percent of users will give their username and password during an initial phishing test. Because of the high volume of data breaches and the relative ease threat actors have phishing users to gain their account credentials, it is more important than ever to secure your access to email.
What can I do to protect my firm?
There are several solutions that will reduce your risk of BEC. The simplest and least costly solution is to require your users to create unique and strong passwords. The next step is multi-factor authentication, which is an excellent way to prevent unauthorized access. Without access to the second factor, a username and password are not enough to gain access to an account. Security awareness training will help your users detect phishing attempts and avoid giving away their credentials. There are also security products like Huntress for M365 that specifically address the problem of BEC on the M365 platform.