In this digital age, communication and payment transactions are performed online. And email remains the number one communication channel due to its flexibility, reliability, and ease of use. As such, it is the preferred channel by malicious actors to attack an organization. The current pandemic has contributed much to the use of emails. As a result, cybercrime has evolved with innovative and sophisticated techniques to carry out Business Email Compromise (BEC) attacks, which necessitates robust email security for any organization.
Email attacks through means like phishing and CEO fraud have caused significant financial and reputational losses to business organizations. According to the FBI’s Internet Crime Complaint Center, phishing attacks doubled from 2019 to 2020 (IC3, p. 6) with over $54 million (IC3, p. 20) in losses. BEC losses accounted for a whopping $26 billion in losses in 2020.
According to Statista, a total of 304 million ransomware attacks occurred worldwide in 2020, a 62% increase from 2019.
The number of seen BEC attempts worldwide saw an increase from 9,708 in 2017 to 17,607 at the end of 2020.
For this reason, the significance of email security cannot be understated. The below discussion examines some of the strategies and best practices business organizations can adopt and the options available to upgrade email security to stay protected.
What Is Business Email Compromise (BEC)?
BEC is a cyberattack targeting business organizations to steal or gain access to critical corporate data to extract money using email-based fraud. It usually impersonates one of the top officials of the organization itself. Malicious actors commonly attempt CEO fraud attacks, a form of BEC, using a look-alike or a compromised email account to deceive an organization into making fraudulent payment transactions. Below are some of the countermeasures to avoid becoming victims of BEC incidents.
Top Strategies To Avoid BEC
Following are some of the strategies an organization can adopt to avoid BEC attacks:
Employee Awareness And Alertness
Training programs for employees to detect fraudulent emails is critical to avoid falling into traps and making unauthorized payments. On the other hand, employees, especially those engaged in handling transactional and sensitive data, need to be vigilant to detect fraudulent emails. The following precautions come in handy:
- Check the sender’s email address, particularly on a mobile device, since it is hidden.
- Malicious actors can make domain names look similar to that of an organization. Using an upper-case of the letter ‘i’ can look like a lower-case of L.
- The use of authoritative language can lead an employee to believe that their boss is demanding a response.
- Financial urgencies tend to create panic. Making the employee believe that a revocation of a vital service could occur or a hefty fine could be imposed if a payment deadline is not met can result in a fraudulent transaction.
- If the sender indicates a change in the email address or bank account details for the ‘urgent’ payment transfer, verify the whereabouts through a phone call.
Follow Best Practices
Certain habits and policies can safeguard an organization’s data and assets, as described below.
- Use multi-factor authentication (MFA), such as a phone number or a secret key, for processes such as payments. Even if a malicious actor succeeds in acquiring user credentials without additional verification data, the user is still safe.
- Avoid auto-forwarding emails. Automatic email forwarding makes a mailbox vulnerable as the emails tend to go outside the security of the domain. Check twice before sending or forwarding sensitive data related to employees, taxes, billing, etc.
- Mark emails that come from sources outside the organization to create a habit to treat them suspiciously.
- A simple gesture like a phone call confirming the amount, payment method, and account details before making a transaction to a party can ensure that one is not paying a fraud.
Upgrade Email Security
System administrators need to maintain a secure email environment ensuring the necessary email security protocols.
- If the organization uses an on-premise proprietary email gateway, it must ensure its email security features and policies before deployment.
- Arm outbound SMTP with email authentication features – SPF, DMARC, and DKIM – in the DNS zone as these filters a significant chunk of spam and provides anti-spoofing and phishing protection. Emails that fail authentication are automatically flagged or sent to the spam folder for further investigation.
- The organization may consider dedicated anti-phishing services from reputed brands for enhanced protection from varied phishing attacks such as Whaling, Spear-Phishing, Smishing, and Vishing and a more recent Angler Phishing method.
- Enterprises are increasingly being targeted with ransomware. A recent example is a cyberattack on Colonial Pipeline. Often malware in the form of encryptors and screen-lockers is distributed via email attachments. Integrating a solid ransomware protection service can safeguard an organization’s data from being held, hostage.
- Detection and prevention of DDoS (Distributed Denial-of-Service Attack) and DHA (directory harvest attack) can be achieved through the use of Secure Email Gateways (SEG).
Other Security Measures
- The recent cyberattack on the Colonial Pipeline is an example of a ransomware attack. It is not the absence of security protocols but a lack of consistent validation that led to its shutdown by malicious actors. Ensure that ransomware protection and other additional security plugins are up to date and functioning as intended.
- For small and medium-sized businesses, a reputed cloud email service, such as Office 365 or G Suite, already has many of the email security protocols in place and can save the organization a considerable amount of time and expenses.
- An MX backup service will keep an organization in good stead if the email server is down due to a threat, maintenance, or any other reason. New incoming mail is stored in the MX backup and delivered as soon as the server is up and running. It provides the same email security features as the regular email server.
Final Words
Email security service needs to become a priority to eliminate cyberattacks such as ransomware, phishing, and BEC. Strict email security policies combined with employee training and awareness programs help prevent malicious actors from taking control of the network using malware. Implementing dedicated security solutions and upgrading email security using the latest technologies can save a business from heavy losses.