Our inboxes are a common target for cybercriminals. Between an influx of sensitive information coupled with a plethora of promotional emails, it becomes easier for cybercriminals to send fraudulent emails under the radar. If your business uses an email communication system, and let’s face it which business doesn’t, you are at risk of cyber attack via business email compromise. In this blog, we will discuss the steps you can take to protect your business from this type of cyber attack.
What is Business Email Compromise?
Business email compromise, also known as email account compromise, is a form of phishing or spear phishing cyber attack. Cybercriminals target organisations and try to scam them out of money or confidential company data. They also use emails to pretend to be business representatives and target employees to trick them into revealing important business information. You can protect yourself from these malicious attacks by taking protective measures and staying informed.
Take Preventative Measures
Taking preventative measures makes it more difficult for cybercriminals to impersonate you and your business. These measures can also block or flag scam emails pretending to be notable brands or figures. Basic preventative measures used to minimise phishing attacks include:
Install security software
Installing security software is your first line of defence against phishing scams. Antivirus programs, spam filters, and firewalls are effective against phishing attacks. Web filters can also be used to prevent employees from visiting malicious websites.
Keep your software up-to-date
Keeping your software up-to-date with the latest security patches and updates also reduces your chances of falling victim to phishing scams. Schedule regular updates and continuously monitor the status of all your software and devices.
Protect remote workers
If your employees are working remotely, establishing a BYOD (Bring Your Own Device) policy is essential to protecting your email from phishing attacks. Require encryption for remote workers and connect to your server via VPN to prevent access to phishing sites.
Schedule regular backups
When was the last time you tested your backup and recovery plan? If you don’t remember, it’s probably past the deadline. Scheduling regular backups ensures that your data is completely recoverable in the event of a disaster.
Enforce password policy
This may come as a surprise, but an alarming amount of people use easily guessed passwords such as “12345678.” I recommend implementing policies that enforce password expiration along with rules governing acceptable passwords. Minimum password length, numbers, and special characters help create complex passwords that are more difficult to hack.
Use multi-factor authentication
Ensure that employees are signing into their accounts and inboxes using two or more credentials (such as login information as well as a verification code from another device). By providing multi-factor authentication, you can easily prevent hackers who have compromised user credentials from gaining access to the system.
Do not provide personal information or click on questionable links
Do not provide personal or confidential information without directly verifying it with the person making the request. Legitimate individuals and organisations will never request confidential information (such as banking details or logins) via email.
Employees should make it a practice not to click on links in emails, even if they appear to be from a trusted source. If in doubt, open a new browser window and enter the URL in the address bar instead of clicking the link. Another way is to hover over the email sender or link. If the link is malicious, it may not match the email or link description.
Watch out for threats or urgent deadlines
When impersonation is combined with threats and deadlines, you are even more likely to fall for phishing scams. Creating a sense of urgency (such as threatening fines or closing accounts) often leads to misleading and hasty decisions.
Educate your staff
Phishing awareness training can protect your staff and your business from business email compromise. By educating your staff about the phishing techniques cybercriminals use to trick them and provide ongoing cybersecurity awareness training including regular simulation campaigns so it becomes second nature for them to respond effectively when faced with a real business compromise email.
Staying informed is one of the best ways you can combat business email compromise. It is important to set up a process to ensure employees have the ability and are required to report to the business when they receive suspicious emails so that other employees or colleagues don’t accidentally fall for a phishing attack.
About PhishNet
Understanding the role of human error in data breaches is the first step to preventing and future-proofing your organisation against attacks.
PhishNet delivers highly effective, engaging, and affordable cybersecurity awareness training to help businesses mitigate the risks of human error data breaches.
Talk to PhishNet today to learn more or click here to view our free eBook about preventing human error in data breaches.