What is CEO Fraud, or BEC, and What’s the Risk?
According to the FBI’s 2020 Internet Crime Report, more than $1.86 Billion was lost due to Business Email Compromise (BEC), also known as CEO fraud, and Email Account Compromise (EAC) scams. And that’s just in America.
BEC and EAC scams are essentially attempts to make fraudulent wire transfers. As Trend Micro describes, “BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate the CEO or any executive authorized to do wire transfers.”
Phishing scams and social engineering attacks are big business. If you are in any position of authority at your company, you are a target. If you work in the Finance Department, Human Resources, or IT, you are a target. If you are an Executive Assistant or similar role, you are a target.
How to Combat CEO Fraud/BEC
Watch the 50-second video below for 5 ways to protect yourself and your company from BEC scams. Then read below for more details.
The 5 Tips to Combat CEO Fraud as show in the video above:
1. Identify Your High-Risk Users
High-risk targets are C-level executives, their assistants, and HR, Finance, and IT staff.
As an implementing example, you could have your IT partner set up profiles based on those employee roles. Then part of your employee onboarding process could use those profiles to kick off introductory information on the additional risk of their position, send a link to a brief webinar or video, and have them be automatically added to a simulated phishing campaign.
2. Implement Safeguards
Use multi-factor authentication (MFA), email filters, and proper access control (permissions) to ensure a strong technical defense.
Do what you can with the tools you have to limit the potential for attacks to get through to your team. These scammers will continue to evolve and try to get around our defenses, but it’s important to not make it easy for them. The basics still matter, and they’re a great place to start. And if you’re curious about more advanced protection options, reach out. We’re happy to answer any questions
3. Set a Security Policy
Include best practices such as not opening attachments or clicking on links from unknown sources, plus good password management.
Don’t have a Security Policy? Don’t fret. You can draft one simply by starting with the common sense rules you know. Then take advantage of the following free resources we’ve put together, or let us know you’d like some help.
4. Make an Incident Response Plan
Write a procedure for the notification, handling, and resolution of a cyber incident. Then test it.
Sounds so simple. We understand, however, that creating an Incident Response Plan is a lot more involved. It not only requires input from every department in your company, it will only be truly effective with input from your legal, financial, and other business partners, too. It is worth the time and effort though. So don’t get overwhelmed thinking about the whole thing—designate someone to take charge of it, and work on it step by step. This information will help.
5. Train, Train, and Retrain
User education is critical to your protection. Send simulated phishing messages, and consistently check in with staff about threats and proper procedures.
‘One-and-done’ notices or warnings don’t work with attacks that continue to evolve. The approaches change, the messages change, and if your employees are only looking for one kind of red flag, they could accidentally miss the ten others right in front of them. An easy way to keep everyone in the know is to sign up for the Top 3 Cybersecurity Scams email our CEO sends on the first of every month. You can also set up awareness campaigns that send simulated phishing attacks with real-time help and explanation. We run a program internally and for our interested clients. Click the button below for a few more tips, and a way to contact us about advanced security options.