Can you tell a legitimate business email from a fake?
If you think cyber-criminals only target the big players and wouldn’t be interested in your small business, think again. Increasingly, it’s smaller businesses that are facing cyber-attacks.
Most small businesses don’t have the security measures in place that big organisations tend to implement. Cyber-security may not have been prioritised, leaving the business vulnerable to attack. That makes the smaller players ideal target for cyber-criminals.
These cyber-attacks are becoming more common. A whopping 62% of small to medium-sized businesses (SMBs) reported experiencing a data breach in the past year (according to Keeper Security and Ponemon Institute).
How do the attackers target small businesses? And importantly, what can you do about it? Read on to find the most common tactics and ways to protect your business from these prolific cyber-criminals.
Business email compromise explained
On a daily basis, there are 156,000 attempts to compromise business emails. That’s a cyber-criminal trying to use your email for their gain.
Think about the volume of emails that drop into your inbox. Would you be able to distinguish a legit email from a counterfeit one?
An astonishing 91% of successful cyber-attacks start with a phishing email. Known as Business Email Compromise (BEC), this is a cyber-crime where scammers assume the digital identity of a trusted persona to trick employees or customers into taking a desired action. That may be making a financial transaction or sharing data or sensitive information.
The result of a cyber-attack on your business goes beyond the monetary. It can also cause huge brand damage, business downtime and the many implications of breaching data security regulations.
It can be really hard to detect and prevent this kind of attack. Traditional measures can’t combat the advanced techniques used by cyber-criminals.
Most common tactics used for business email compromise
What do the attacks look like? They’re ever changing and becoming more complex. Some of the most common scams include:
Vendor invoice scam
The attacker lurks in an employee’s inbox (typically a finance or administrative role) to take note of working patterns. They then intercept invoices being sent between your business and a supplier or client. They will alter the payment details on the invoice so that the funds are transferred to a bank account that isn’t the one intended originally.
Employee payroll manipulation
Similarly, the attacker poses as an HR official and alters payment information for an employee’s salary so that it goes to the criminal rather than the employee.
CEO fraud
If you get an email from your CEO asking you to send money somewhere, you’re likely to comply. But what if it’s not your boss, but a cyber-criminal impersonating them? That money is then in the hands of the criminal. In this case, a finance worker was conned into thinking that his CFO requested a payment of $25 million when it was actually an impersonator.
Admin account takeover
This technique targets IT professionals with administrative rights to the company’s Microsoft 365 account. Once they gain admin access, the criminals can read and manipulate business emails and create myriad new accounts.
Personally identifiable information data theft
This scam is a long game rather than quick win. The scammers take time to gain the trust of an employee to entice them to share sensitive data. This then escalates and forces the targeted individual to take malicious actions like installing software or transferring data or money.
How to protect your organisation from business email compromise
Don’t be complacent and assume that cyber-criminals won’t target you. Be proactive and defend your business against BEC. Here’s how:
• Enforce two-factor (or multi-factor) authentication (2FA) wherever you can.
• Always verify via phone any requests for changes to financial information or payments.
• Report to your IT team any unusual behaviour with your computer or cloud program (e.g. missing emails).
• Don’t enter any personal or sensitive information onto a website that you got to by clicking a link in an email. Manually navigate to the website instead.
• Look carefully at URLs, email addresses and spelling in emails.
• Don’t click on links or open attachments in unsolicited emails. This is particularly true if you’re asked to verify or update account details.
We can help you to stay protected from email attacks
You may think that you’ve taken steps to ensure your business emails remain secure. In most cases, the truth is that most small businesses are not doing enough and leave themselves vulnerable to email cyber-security attacks. 82% of SMEs reported that malware had evaded their antivirus solution (according to Keeper Security and Ponemon Institute).
Our Managed Detection and Response for Microsoft 365 provides 24/7 security. Reduce your risk of attack and make your communication intrinsically more secure with our support.
We have the technical know-how to implement advanced solutions to your business. We take a human-centric approach to attack prevention and protection. Our dedicated security experts are there for you day and night to catch and combat BEC attacks.
Contact our expert team and ramp up your business’s protection from email attacks.