Business email compromise is the bane of small businesses, because these phishing scams target companies with minimal processes, protocols and protections in place -- like those too small to have extensive cybersecurity budgets. According to the FBI’s Internet Crime Complaint Center, business email compromise costs more than $675 million in damage in 2017, so the June arrests of 74 cyber criminals in the United States and abroad was a triumph for both large and small companies.
Even though one cyber gang has been taken offline, dozens remain. Earlier this year, the U.S. House Committee on Small Business warned small businesses that hackers are targeting and attacking them with the most sophisticated threats ever, and at an increasing rate. More alarmingly, committee members said, there is reason to believe hackers will continue to primarily target small businesses from now on.
The trickle-down effect of cyber crime
In March, a New York man pleaded guilty to defrauding a Virginia-based trade association out of more than $1 million. He used classic business email compromise tactics, such as mimicking the email address of a known travel vendor and asking the trade association to send future payments to a new account number. Obviously, his scheme worked -- at least for a time. But the question remained: Why would he target a trade association?
BEC is a sophisticated form of phishing, a cyber scam that tricks users into trusting illegitimate emails. A number of security measures can detect and flag these emails, and most large organizations already have them in place. By contrast, smaller organizations’ budgets are, well, smaller, and non-cybersecurity issues may take greater priority. As a result, few small businesses have the protocols, procedures and protections in place to red-flag phishing emails.
Small businesses should take immediate action to increase security measures against email compromise threats because, according to First Business Financial Services, 38 percent of victimized companies are SMBs in all industries. This attack method isn’t abating, so taking precautions is your safest bet.
Ironclad security on a limited budget
Just because a small business knows it’s at risk of cyberattacks doesn’t mean it can start multiplying its cybersecurity budget. Luckily, spending more is not as important as spending smartly. Targeted protections may not stop every attack, but they can stop the most common and the costliest. To prioritize business security, focus your efforts on these steps:
1. Implement email sender authentication standards.
Email is particularly vulnerable to spoofing and remains a leading security risk because users feel confident and secure in their inboxes. Business email compromise and other phishing schemes often spoof senders, but implementing authentication standards can protect against spoofing.
Start by putting in place standards that address email sender authentication. These include Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. Require the partners you do business with to also implement these email authentication standards.
2. Tap into outside experts.
Sender standards are effective, but they are also quite complex to implement and maintain. If protecting a company’s security were easy, the FBI wouldn’t have received more than 4 million complaints of internet crime between 2000 and 2017. For small businesses, the best solution is to seek out trusted providers or partners that provide useful tools to help in the implementation of these standards.
3. Take a multilayered approach to security.
Cyber scams are designed to bypass common security measures, and implementing sender authentication standards doesn’t guarantee that the inbox is threat-free. Make sure layered security includes impersonation filtering to identify domains that are one character off from a trusted domain. Also, institute internal email filtering that can block external emails that look like they are from an internal user. Taking a layered approach aids in the identification of multiple techniques used in BEC attacks.
4. Create a process for authorizing wire transfers.
Confirm the legitimacy of any wire requests or changes to payment addresses. Call a verified individual or phone number. Do not use contact information from the email chain that's making the request.
5. Educate users.
In spite of all the available technology, users remain a critical line of defense. The more they recognize risks and understand threats, the more likely they are to avoid malicious emails and dangerous behaviors. Incorporate user education as a key way for to boost cybersecurity. According to recent reporting in the Wall Street Journal, one of the main reasons that employees resent attending cybersecurity training is that they are sent only when they’ve made a mistake, so the training is construed as punishment. To combat this negative association, reward your employees for their good cybersecurity habits, too.
Small businesses aren’t just the most likely targets of cybercriminals; they are also the biggest victims. Larger companies can survive disruptions and can afford the recovery effort, but many small businesses cannot. With attacks on the rise, cybersecurity has become an existential threat to small businesses. It’s imperative to adjust your security measures to keep your email inboxes -- and your business -- protected.