As a small business owner you are proud of your digital presence. You’ve built your website, manage your social media following, send out email marketing messages and have your team working in email day to day. Now, more than ever, it’s all at risk from cyber threats, including rising Business Email Compromise (BEC) attacks.
Hacked email accounts and BEC attacks jumped 81% in 2022. In 2022 alone, businesses worldwide lost an estimated staggering $1.8 billion to BEC attacks according to the FBI’s Internet Crime Complaint Center.
Up to 60% of small business close within 6 months of being hacked.
Worst of all, as many as 98% of employees fail to report email threats. Often, as we find as a Managed IT Security Provider in Toronto, it’s because they have no one to report it to. Many small businesses continue to operate without a dedicated IT staff member or an outsourced IT management services company. That makes small businesses the easiest targets for email hacking. Now, don’t let that scare you into inaction; it should motivate you to take proactive steps. Here’s why.
What Is A BEC Attack?
BEC attacks involve cybercriminals posing as company owners or trusted partners in emails, and persuading employees to perform actions that compromise the business – like transferring funds or revealing sensitive information. The criminals are slick, sophisticated, and challenging to spot their deceptive emails from legitimate ones.
How To Identify A Compromised Email Attack?
The methods deployed by criminals to execute Business Email Compromise (BEC) scams have evolved to be quite intricate, and the below are guidelines only – not a comprehensive list of red flags to remain vigilant for.
1. Urgent financial transaction requests: If you are asked to act quickly, or surreptitiously, be wary. Especially so if the requests involves skirting normal processes or comes from a managing staff member with whom you usually don’t communicate.
2. Manipulated email addresses: Scrutinize all email addresses linked to requests for financial transactions or sensitive information. Criminals often make minor modifications to genuine email addresses. For example, if the original address is firstname.lastname@example.org, the manipulated address could be email@example.com. By hovering over the sender’s name, you can check the full email address.
3. Solicitations for confidential data or login requests: If you receive directives to click on a link to access a login page, requests to update your financial account details (even if they seem to originate from your bank), or solicitations for tax-related details, exercise extreme caution.
4. Unanticipated emails: Watch out for unexpected requests for payment that deviate from a trusted supplier’s normal schedule, process or contact person.
4. Suspicious attachments and links: If you didn’t request or anticipate it, or if the file name is unusual, the file type is rare, or the source isn’t trusted, it’s recommended not to open it.
→ Related: See more tips to spot phishing and spoofed emails.
Take Action: Strengthen Your Email Security Today
Here are some steps to improve email security. You have likely heard it all before, but if you haven’t implemented all of them, now is the time.
Set up Financial Security Measures
Ensure you have a policy and process in place for two-step verification for all financial transactions. This simple step can halt most BEC scams in their tracks. It’s always better to have more than one person verify a financial payment request. We recommend this type of policy to all our clients with Managed IT Services in Toronto.
Educate Your Team
ChatGPT and other AI language models are being used to improve email attacks, by drafting better copy that is free of the telltale grammar and language issues of spoofed emails of the past.
Small Business should educate their employees about the risks of BEC and provide training on how to identify and avoid these scams.
Employees should be aware of the tactics used by scammers. Training should include email account security, including:
- Being suspicious of any urgent requests received.
- Being aware and cautious of spoofed email addresses, social engineering and fake websites.
- Checking their sent folder regularly for any strange messages.
- Using a strong email password with at least 16 characters.
- Never using the same password for multiple accounts.
- Storing their email password in a secure manner.
- Notifying an IT contact if they suspect a phishing email.
Use Domain & Email Authentication Protocols
In an hour or so, your IT provider can set up the following email and domain security tools for you.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
These protocols help:
- Verify the authenticity of the sender’s email address.
- Reduce the risk of email spoofing.
- Help to keep your outgoing emails from ending up in recipients’ junk mail folders.
Install Anti-Phishing and Email Security Software
Advanced email security solutions can identify and block fraudulent emails and many BEC attacks. They can spot unusual patterns, block malicious email addresses, and warn users of potential threats. With AI and machine learning gaining widespread use, these tools become more effective, however so do the attackers.
IT security is not a set it and forget it task, but rather requires day to day management. Outsourced IT services for small business are an effective strategy.
It only takes an honest mistake and a moment for money to leave your account and be gone forever. Don’t leave your small business emails unprotected.
Schedule your free Discovery Call today to discuss our email security solutions.