According to the Internet Crime Complaint Center (IC3), BEC complaints share some common characteristics. Businesses that use open source email services are frequently targeted as are employees who handle wire transfers.

The scenario often plays out like this: An email arrives that appears to be from a high-level executive within the company — or even a business partner or company attorney. Since the email address has been spoofed, it appears to be legitimate. A request for a wire transfer is included in the email, which urges the recipient to take immediate action.

The fraudulent email might claim, for example, that a supplier requires prompt payment for a service rendered. IC3 reported multiple instances of fraudsters impersonating lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters.

Keep in mind: Requests for money might ultimately come via a phone call. While BEC is initiated over email, criminals can use various modes of communication to complete the fraud.

Implement a comprehensive awareness program for employees that spells out the details of BEC and how to recognize potentially malicious emails. The program should train users to identify suspicious requests and cross-reference the sender’s email with the corresponding executive’s known address. Most importantly, employees should not reply to risky emails under any circumstances.

Set up an email gateway to flag keywords like “payment,” “urgent,” “sensitive” and “secret” — all of which are common in fraudulent emails. Companies should also register as many domains as possible that are slightly different from the legitimate company domain to minimize the risk of email spoofing. Company leaders should avoid using free, web-based email services. Instead, they should establish a company domain name and use it to create official company email accounts.
 

Make sure your employees are mindful of what they post on social media. Cybercriminals can appropriate seemingly benign information, such as birth dates, favorite foods, and places of residence to personalize their social engineering schemes.

Use caution when adding information to your company website. Teams should be aware that any job information posted on a company website can be used to facilitate targeted phishing scams, especially job descriptions, organizational charts, and out-of-office details.