Business email compromises (BECs) are on the rise and now occur frequently. BECs are breaches of email accounts, and are particularly troublesome for businesses. Once they gain access to a company’s email system, hackers attempt to trick the victim (usually an employee of the compromised firm or a client of that firm) into sending money or sensitive information by impersonating a trusted individual or organization. BEC attacks are often sophisticated and can be difficult to identify, making them a serious threat to businesses of all sizes. Here is what you need to know.
How hackers gain access
Hackers can gain access to email accounts in several ways, including:
- Phishing: In this type of social engineering attack, the attacker tries to trick the victim into revealing their personal information, such as their email address and password. Phishing attacks are often carried out through email, but they can also be carried out through text messages, phone calls, or social media.
- Malware: This malicious software can be used to infect computers and steal data. Hackers can spread malware through email attachments, infected websites, or USB drives. Once a computer is infected with malware, the attacker can gain access to the victim’s email account and other personal information.
- Weak passwords: These are easy for hackers to crack. Hackers can use brute-force attacks to try every possible combination of characters until they find the correct password. They can also use password dictionaries to try common passwords.
- Zero-day exploits: Vulnerabilities in software that the software developer is not aware of can let hackers exploit them to gain access to computers and email accounts.
Examples of What Hackers Do Once They Have Access to an Email System
Once hackers have access to an email system, they can do several things, including:
- Steal sensitive information: Hackers can steal sensitive information from email accounts, such as personal information (names, addresses, phone numbers, Social Security numbers, etc.), financial information (bank account numbers, credit card numbers, etc.), and business information (trade secrets, customer lists, etc.).
- Send spam and malware: By using email accounts to send spam and malware to other users, hackers can spread malware and infect other computers. In fact, most spam is distributed in this way.
- Launch phishing attacks: Phishing attacks are attempts to trick users into revealing their personal information or financial details. Like spam and malware above, most phishing is distributed in this way.
- Conduct fraud: Hackers can use email accounts to conduct various types of fraud, such as wire transfer fraud and invoice fraud.
- Extort money: By threatening to release sensitive information or launch a cyberattack, hackers can extort money from victims.
How to mitigate BEC attacks
There are many things that businesses and individuals can do to mitigate the risk of BEC attacks, including:
- Educate employees about BEC attacks: Employees should be trained to identify the red flags of BEC attacks such as emails from unknown senders, requests for urgent action, and requests for money or sensitive information.
- Implement strong email security measures: Businesses should implement email security measures such as spam filtering, email authentication, and data loss prevention (DLP) solutions to help protect against BEC attacks.
- Verify all payment requests: Businesses should verify all payment requests with the authorized individual or organization before sending money. This can be done by calling the individual or organization directly or by using a secure messaging system.
- Have a plan in place to respond to BEC attacks: The plan should include steps for notifying affected individuals, investigating the attack, and preventing future attacks.
- Use strong passwords and enable multi-factor authentication (MFA): Multi-factor authentication adds an extra layer of security by requiring users to enter a code from their phone in addition to their password when logging in.
- Be careful about what information you share online and over the phone: This includes avoiding sharing personal information on social media and being wary of unsolicited phone calls and emails.
- Verify the identity of the person contacting you before providing any personal information or financial details: Individuals can also do this by calling the individual or organization directly or by using a secure messaging system.
- Be suspicious of unsolicited emails, even if they appear to be from someone you know: Hackers can easily spoof email addresses, so it is important to verify the sender’s email address before clicking on any links or opening any attachments.
By taking these steps, businesses and individuals can help to protect themselves from BEC attacks and other cyber threats.