Business Email Compromise (BEC) schemes continue to be the costliest: In 2020, there were 19,369 complaints with an adjusted loss of approximately $1.8 billion.
In 2020, the FBI's Internet Crime Complaint Center (IC3) received a record number of 791,790 complaints from the American public, with reported losses exceeding $4.1 billion. This represents a 69% increase in total complaints from 2019. Please see the FBI's Internet Crime Report 2020 for additional information.
How does BEC take place?
The critical point in a BEC event is the hacker gaining access to an email account. Account access starts with credentials that are guessed, coerced, or purchased from the Dark Web.
Guessing works when passwords do not meet complexity guidelines. Coercing happens when you click on a link in an email that opens a form asking you to authenticate. The authentication form is a perfect replica of the login page for OneDrive, and being familiar – some people will fall for this. The Dark Web is a marketplace for credentials harvested in a data breach from some online service. Suppose a person uses the same email address and password for an online account (like LinkedIn) and their corporate email account. In that case, that could allow the hacker access.
With a working email address and password in hand, the hacker then attempts to log into your Microsoft 365 account. If successful, they now have full access to your email account and everything in your OneDrive and SharePoint.
Protecting your Business
There is good news about defenses. Multi-Factor Authentication (MFA) is not perfect but does provide robust protection in the case of BEC. Since MFA requires that additional authentication factor, it blocks a hacker who only has the email address and password. Most people are already comfortable with MFA to get online access to their bank account, medical portal, or other sites with highly sensitive personal information.
An additional huge step in building defenses against BEC is Security Awareness Training. Educating users on what to look for, how to be cautious, and specifically what to do if they suspect an email helps solve BEC's human side.
MFA and Security Awareness Training are vital components of an effective cybersecurity strategy. Reach out to your IT professional for additional best practices to secure your business and protect your clients.
Author: Jeff Kite, President and Founder of Kite Technology