Published in


Preventing BEC Attacks

Photo by rawpixel on Unsplash

Business Email Compromise (BEC) attacks have increased by almost 500% over the previous year. They are the most common cyber threat to businesses today, and can result in losses to finances and reputation.

BECs are social engineering attacks made against employees of a business. The criminal attempts to impersonate a contact of the employee, whether that be a higher up in the business or an external supplier. Unlike regular phishing, where a criminal may send out many emails, BEC attacks tend to focus on one employee, who is groomed into trusting the attacker.

Once the victim has been deceived the attacker will request a transaction. The victim will believe it to be legitimate, but in fact the criminal is siphoning the money for themselves. In worse case scenarios the criminal might pull of multiple cons.

BEC attacks are also vectors for malware and ransomware attacks. These can be very damaging to a business.

How Can I Protect My Business From BEC Attacks?

The key to keeping your business secure is to educate your employees on the risks and how to keep safe. Employees should be taught how to spot and evade fraudulent emails. Up to date technology and procedures can also reduce the risks of BEC attacks.

Avoiding Opening Emails From Unknown Parties

The safest way to avoid risk is to not click the email in the first place. Employees should check the address of the sender carefully for any differences that might be a sign of a spoofed address. This could include “l” with “1” or a subtle misspelling that could easily be overlooked.

Check Links

Links in emails can be disguised using anchor text. You can reveal the true destination by hovering over the link. A box next to the cursor or in the bottom corner of the browser will display the real address the link leads to. Investigate these carefully. Fraudulent links may try to mimic a real address.

Avoid Attachments

Attachments are one of the most common methods criminals use to distribute malware. Unknown attachments must never be opened. Even attachments you are expecting should be scanned by up to date anti malware before being accepted.

Use a Company Domain

Using free web-based emails accounts for your business makes it easier for criminals to spoof your addresses. You should create a company domain and use it for your email accounts instead. Criminals may still try to mimic the address, but diligent employees will be able to spot the inconsistencies.

As well as protecting your business, customers are more likely to trust an email if it comes from a branded email address.

Verify Money Transfers

Creating a procedure for money and data transfers can prevent careless losses. Any transfers should be verified with another member of staff through face to face or telephone call, using previously established numbers. You should not rely on any contact methods suggested by the email, especially if they differ from the norm.

Consider What Information Your Are Putting Online

Cyber criminals can use the information you put online to enhance their facades. They use this data to build profiles of employees in preparation for grooming them as part of their phishing attempts. This can include names, addresses, job titles and descriptions.

Posting details about holidays can clue criminals to when key figures will be out of the office. This can present them with the best opportunities to attack. Keep the holiday photos for when you return.

Keeping social media accounts private can prevent criminals from trawling them for data.

Keep Anti-Malware Updated

Using the latest anti-virus and malware technology can catch harmful payloads often distributed by email. Malware is constantly evolving, so it is vital to regularly updated your software to keep up.

Email Authentication

Using email authentication, such as SPF, DKIM, and DMARC, can protect you from email spoofing.

Email authentication gives the sender a way of proving that an email comes from who it claims to be from. Without it, a criminal can more easily pretend to be someone from the company when sending out their fake emails.

Emails that fail the authentication process should end up in the spam folder or outright rejected. With DMARC you can even get reports whenever there has been an attempt at abusing your domain.

Not only does email authentication protect your employees, but it prevents criminals from scamming your customers, as messages that fail validation will be sent to the spam folder or rejected.

Keeping your emails secure takes time and effort, but is a necessary step in ensuring the safety of your business and its customers.

Originally published at on February 22, 2019.




Stories from the world of

Recommended from Medium

Voting on Tezos with your Ledger Nano S

UPDATED. HELM. Encrypted variables. How not to commit sensitive information to a GIT

Cryptography (1–5 Levels)

Startup Island TAIWAN Attends HITCON for a More Comprehensive Information Security Environment


Anatomy Of Biometric Signature

Cybersecurity Sessions recap: Artificial Engagement and Ad Fraud

IDOR via Websockets allow me to takeover any users account

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pattison

James Pattison

More from Medium

T’was the Night Before the Breach (2021 Edition)

The University That Was Hit By A Cybersecurity Attack (and The 6 Cybersecurity Vulnerabilities You…

The Most Common Cyber Threats in the World

Security.txt: publishing a security policy for your websites