Cybersecurity attacks and scams have been on the rise recently. Corporations, governments, and individuals have all been targets of these attacks. With so much of our daily activities being conducted online, it’s more important than ever to be alert and know how to protect yourself and/or your business.
A lot of scams today happen through email. A prominent and very costly form of email scams is business email compromise (BEC).
How BEC scams work
An attacker identifies a business target and then reaches out to someone within the company pretending to be someone the recipient trusts, like a vendor or boss. The attacker usually makes a seemingly legitimate request, such as sending an invoice imitating a trusted vendor, asking an employee to buy gift cards on an executive’s behalf for employee rewards, and asking for fund transfers when dealing with company acquisitions.
How to spot a BEC scam
Look out for a spoofed email address – A spoofed address is a slight variation of a legitimate address such as (jdoe@corebamk.com instead of the proper address, jdoe@corebank.com for example)
Be mindful of spearphishing – Spearphishing is the fraudulent practice of sending emails from a known sender in an attempt to receive sensitive information from individuals. Carefully review messages that look like they’re from a trusted sender. If the email asks for sensitive information or anything that seems a little out of the ordinary call the sender to verify the email came from them or forward the email to your IT department.
Language and formatting issues – Look out for grammar and spelling mistakes, odd date formats, incoherent sentences, and other cues that the email may be written by a non-native English speaker, which is common in these types of attacks.
What is an Email Account Compromise (EAC)?
An Email Account Compromise happens when an email username and password have been taken over by a bad actor. They then download the information from the mailbox and research its contents. Then they reach out to contacts and try to perpetrate Business Email Compromise. These can be difficult to spot since the email address is the exact same email as a normal customer.
How to Spot an EAC
Requests that seem out of the ordinary – Asking for all account balances when the customer has access to look that up themselves. The phone number in the signature line doesn’t match the phone number from old emails or in saved contacts.
Urgency – Any sense of urgency should be reason to pause and make a phone call to the sender. Always remember to call using a previously saved number or a number from an old email.
Language and formatting issues – Look out for grammar and spelling mistakes, odd date formats, incoherent sentences, and other cues that the email may be written by a non-native English speaker, which is common in these types of attacks.
How to protect yourself
Limit information shared online – You might think sharing trivial information like pet names, family members, birthdays, and schools you attended is harmless, but scammers can use this information to answer your security questions or even guess your password.
Don’t be quick to click – Always be wary of unsolicited emails or texts with links. Scammers often impersonate companies you have accounts with by sending communication asking you to update or verify account information. Call the company by looking up their phone number online instead of using the one provided in the email to verify if they made the request.
By carefully examining email addresses and URLs, you prevent your eyes from deceiving you since spoofed email addresses are usually very similar to legitimate addresses. If the email includes a link, hover your mouse over it to preview the address it would take you to if you were to click.
Watch out for attachments – Never open an attachment from an unknown sender. Additionally, be cautious about email attachments forwarded to you, even when they come from someone you trust. Their account may have been compromised and being controlled by a scammer.
Demanding emails – Emails telling you to keep your communication private or pushing you to act quickly on a request are major red flags. If payment or purchase requests are being made, make sure to verify them over the phone or in-person if possible in order to verify their legitimacy.
According to the FBI, between 2014 and 2019, business email compromises cost U.S. companies more than $2 billion. Don’t let your company become part of a statistic.
Core Bank is committed to the safety and security of your assets. For more tools and resources to help you protect your identity and assets visit https://corebank.com/cybersecurity/.