MSPs: Prepare Your Clients for BEC Attacks

Your customer’s employees have certainly heard about phishing attacks and their impact on affected businesses. However, do you think that they know about the alarming growth of these incidents and all the costs associated with this type of cybercrime?

If not, it’s time to bring them up to speed. BEC (Business Email Compromise) attacks have tripled over the past three years and were up 50% in just the first quarter of 2019 compared to the same time in 2018.

Industry experts suggest those numbers are continuing to climb exponentially with no signs of abating any time soon. Of the losses reported to the FBI’s Internet Crime Complaint Center (IC3), the majority are BEC fraud, which proves just how effective these schemes are on the business community (especially the SMB).

The ABCs of BEC

Business Email Compromise essentially involves cybercriminals utilizing or spoofing a corporate email system to trick other employees into divulging financial information or transferring funds. The first step involves identifying a target, most likely C-Suite executives authorized to do wire transfers or high-level employees with access to the company’s financial operations.

A common way for an attacker to get into their corporate network is through spear-phishing. Cybercriminals typically cast a broad net, targeting numerous employees inside organizations with malware in the hope that someone will take the bait and click on an infected link or attachment.

Another trick is for hackers to create an email account practically identical to the company’s URL to deceive the recipients. That scheme is surprisingly effective since busy people can easily overlook a simple one-letter change in email address.

Cybercriminals may also employ social engineering tactics to trick staff members, customers, and partners into believing the communication is from someone they know. They often research and monitor the behaviors of their targets, including phrasing, mannerisms, and writing style. Criminal organizations are utilizing an assortment of linguists, gamers, writers, and social engineers to create extremely effective spoofing emails today. Once they complete the research and planning phase, these attackers can send a variety of messages to deceive their targets into transferring money directly or giving them access to financial systems and information.

BEC Comes in Several Varieties

As with any cybercrime, the tactics tend to change over time to keep ahead of the defenders. BEC is no different. The FBI classifies this type of fraud based on the impersonation target as well by its delivery method, including:

1. Fake Invoice: attackers pretend to be suppliers or partners requesting money for an unpaid invoice.

2. C-Suite Spoofing: cybercriminals pose as the CEO or another member of the executive team and ask an employee with access to financial systems to transfer money to another account.

3. Hacked Account: In this case, the attackers compromise an executive’s actual email account.

4. Attorney Fraud: Scammers impersonate the company’s legal representatives to access confidential or proprietary information.

5. Data Theft: in these cases, attackers target personal data from employees and others. For example, they may spoof HR team members’ emails to obtain PII (personally identifiable information) that hackers can sell or leverage in other schemes.

MSPs Are a Major Defense

BEC is a real threat to your clients, and time is critical for stopping these types of attacks. If they can’t properly identify and stop fraudulent requests, it is almost impossible to recoup money transfers thanks to the various laundering techniques used by cybercriminals. Prevention is key.

On the technical side, there are a few things you can do to help your clients overcome those concerns. For example, you can require that employees utilize multifactor authentication to make it much harder for hackers to take over email accounts. Another step is changing the settings in their email service, so it flags messages that originate outside the organization. That will automatically alert savvy employees (those who follow training protocols) of a potential scam.

MSPs should always watch for any unusual rules changes. For example, if everything in an employee’s email box is forwarding to a separate account, it’s a sure sign that something is wrong.

Perhaps the most important thing MSPs can do to stop BEC scams is to ensure every clients’ employees are adhering to phishing/cybersecurity awareness training programs. According to research conducted by KnowB4, untrained workers open compromised emails 30% of the time, while only 2% of trained employees fall for those schemes.

If staffers don’t know or understand the dangers involved in BEC, how can they know their email is compromised? MSPs must ensure that everyone they support is scrutinizing emails, especially those who handle financial transfers and PII. A simple best practice is to require a follow-up phone call to validate all requests. Along with email diligence, that’s an effective way to stop BEC attacks from costing your clients a lot of money.

In today’s high threat environment, every employee should be on guard for email fraud. A compromised account can be extremely detrimental to your client’s financial security and reputation, which is why implementing effective protection measures and training programs should be a standard for every business.