Connect with us


How to nib in the bud ‘Business email compromise’



Signal Alliance reveals innovative email protection solution

Many business organisations and public institutions are faced one way or the other with challenges of their corporation email been compromised.

This to a large extent has brought loss of businesses or embarrassment. Those who have not been able to successfully manage it by being on top of the situation are those whose knowledge and technology partnership need to be upgraded.

In the technology parlance, the Business e-mail compromise (BEC) is when an attacker hacks into a corporate e-mail account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.

BEC is also known as a “man-in-the-email” attack. This is derived from the “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.

This is how it works. A BEC scam starts with research. An attacker will sift through publicly available information about your company from your website, press releases, and even social media posts.

He/she might look for the names and official titles of company executives, your corporate hierarchy, and even travel plans from email auto-replies.

The attacker will then try to gain access to an executive’s e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the executive will not be alerted.

Another trick is to create an e-mail with a spoofed domain. For example, the attacker might use [email protected] instead of [email protected], or [email protected] instead of [email protected].

If you do not pay close attention, it is easy to get fooled by these slight differences. One of the most famous spoofed domain tricks ever was the “” – a scam site imitating money transfer website

After scouting corporate communications for some time, the attacker will probably have a good idea of scam scenarios that might work. For instance, if the company has a lot of suppliers, he/she can send invoices to account for the rush payment of materials.

The attacker would know who is responsible for wire transfers and be able to craft a convincing scenario that would require the immediate transfer of funds.

Some of the most prevalent examples of BEC scams are:

The fraudulent invoice scam is when a cybercriminal uses an employee’s e-mail to send notifications to customers and suppliers asking for payment to the cybercriminal’s account.

The fake boss scam is when a fraudulent email is sent from a business executive’s account to employees instructing them to urgently transfer money from the corporate account to the criminal’s account.

The fake attorney scam is when a lawyer’s e-mail address is used to contact clients, asking that they pay money immediately to keep things confidential.

However, business e-mail compromise attacks do not only involve money; sometimes, attackers seek PII or trade secrets.

One high-profile BEC case involved a Lithuanian cybercriminal that used the e-mail addresses of suppliers. Companies that were targeted include Apple and Facebook. By impersonating suppliers, the hacker was able to steal $100 million in two years.

In another case, the FACC Ag CEO was fired after such an attack cost the company $54 million.

In 2016, there were at least 40,000 incidents of business e-mail compromise or other incidents that involve e-mails—an increase of around 2,370% since January 2015.

In the second half of 2016 alone, the FBI reported more than 3,044 victims in the United States, with a combined loss of around $346 million. Where does most of the money go?

Most of the victims are told to send the money to an Asian bank, usually in Hong Kong or China, or a bank in the United Kingdom.

But you can protect your business or organisation from all these challenges!

Business e-mail compromise attacks are successful for three main reasons:

Insufficient security protocols

Social engineering

Lack of employee awareness

Multi-factor authentication should be implemented as an IT security policy. This will help prevent unauthorized access to e-mails, especially if an attacker attempts to login from a new location. In addition to stronger security protocols, employee education is also important. Employees should be trained on identifying fraudulent e-mails.

Always be skeptical of urgent and rush money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person.

According to Signal Alliance Technical Security Consultant, Victor Ugwu, the company offers a robust and adaptive email security solution on- premise and in the cloud.

Signal Alliance on email security

Beyond email security, they also provide a tested and trusted Cybersecurity solutions ranging from; Perimeter Security, Infrastructure Security, Cloud, Mobile Security and Managed Security Service.