Ask Floh: How to protect against Business Email Compromise
How did a “Nigerian Prince” trick businesses out of millions?
With Business Email Compromise (BEC). This scam is on the rise, up 80% according to a recent report by Mimecast.
In this episode of Ask Floh, find out how this threat works and how to protect against it.
Hello and welcome back to Ask Floh where I share some tips and tricks and answer all your burning security questions.
So this one is from Lee in Vancouver. He says:
“I recently read about this Nigerian scammer who made millions in two years by tricking businesses into sending money to rouge bank accounts. How does this type of scam work? And how can we protect ourselves?”
Oh boy. Okay, so there’s lots of different versions of this. Most of them involve email but not all. And so they are fittingly called Business Email Compromises. And so there’s a lot of different elements. This tends to involve on the part of this scammer, some amount of research into a business or a person and the kinds of data they deal with the kinds of business they do, who they do business with. And then it also involves a social engineering component where the scammer is trying to trick you into believing that you are acting on behalf of some party that they know or some business that they interact with.
So typically, it sort involves sending an email that seems to be on behalf of someone that you do business with, you know, stating some sort of, you know, some sort of problem, some sort of emergency, something that needs a remedy, and then suggesting a solution. And sometimes it involves lots of back and forth, sometimes it’s a many steps, maybe it starts with email. But it’s not just email. Sometimes it also involves some kind of fake website. So maybe there’s an email, there’s a link in it, that takes you to something that looks like a website that you’re familiar with. But it’s actually a different one.
And this leads us to one of the central elements of making the sort of scam work, which is domain names. So oftentimes, what these kinds of compromises do some kind of spoofing of a domain name. So basically, the scammer will buy a domain name that’s really, really similar to the domain name of a real company. So maybe if the real company is like, I don’t know, very nice company.com, maybe it would be very dash, nice dash company dot com that the scammer buys. And so they sort of use this as a way to get in and to get your trust. And maybe they will actually even also make a website at that domain and make everything look familiar and realistic.
So at that point, basically, there’s some amount of trickery, there’s some amount of sort of, like theatre that goes on. And then there’s a few technical bits that need to be in place. And oftentimes, this comes back to email. And a lot of the things about email that aren’t very secure. So the fact that people can send your HTML email, so they can make links that pretend to go to a place but actually they go to a different website than you think they’re going to go to. And then also the fact that anyone can email you. The fact that a domain names can be more or less be spoofed. All these things are little technical pieces of the puzzle that make this sort of scam viable.
And so if you’re looking for something as a solution, or some kind of remedy for these kinds of attacks, some mitigation, the first one is human. It’s really just about practicing, about building a security culture. About having training exercises. Maybe with your security or IT department, if you have one, or maybe just having whoever it is in your company, that really cares about the sort of thing and maybe has taken an improv class or two, try something out and see if people fall for the scam.
And just kind of like raising awareness about how these things work. This is an exercise that you can do as a group, this is the thing that you can all discuss together. And it’s super important because the first thing is really vigilance and being aware of the kinds of things that can happen.
The second thing is more on the technological side, I understand that for lots of different kinds of businesses, email is really necessary. That’s just how things work at the moment. However, if you’re in a kind of team where a lot of the communication is internal, you’re only talking to certain parties, then switching to a more kind of closed and controlled ecosystem where you and your and your team are only able to talk to certain people. Where identities are validated. That sort of thing can be really useful.
Things like end to end encrypted chat and messaging solutions can be really helpful in this regard. And also applications that have some features built in that mean these sorts of “pretend email with links” that look like something but are actually another thing, where those things are just not technologically possible.
Okay, I hope that was helpful and good luck out there. Don’t click on any phishy links. Bye.
You know what’s better than secure team communication? Nothing. Peerio gives you a super secure way to chat with your team, store and share files, all in one place. Every message and file stored and sent with Peerio is encrypted end-to-end by default. Learn more.