Email Security and Business Email Compromise (BEC)

Emails are a standard communication channel for almost every business in today’s technology focused world. Attackers know this and now target emails as a way to infiltrate business and gather privileged information. According to the AFP, BEC cost Australian businesses more than $79 million in financial losses in just one year. There are many ways to sure up your email security and many are already included in your email software at no or little cost.

One of the best ways to improve email security is to implement Multi Factor Authentication (MFA). If you use Microsoft 365 or Google workspace these features are included and add no additional cost. MFA requires users to use a second form of verification when they log into their account. This can include Authenticator Codes, SMS codes, biometric and hardware tokens just to name a few. Enabling MFA on your accounts makes it much more difficult for attackers to access to your information. Even if your password is compromised, they would still need your second form of identification to gain access.

Setting up MFA is good for preventing malicious access to your email accounts, but it doesn’t stop people sending you fake or misleading emails. Bad actors try to spoof email addresses to look like they are from someone trusted, they then ask for information or send malicious links and attachments. This is especially prevalent in industries that deal with large sums of money, Law Firms, Conveyancers, Financial, and Real Estate. Often, they will send requests to update bank account details and divert funds to fraudulent accounts. People in this case are your biggest asset, they are the first line of defense. Creating a culture of cyber security at your business is crucial to stop these kinds of attacks. Staff need to be trained on security best practice and given instructions on what to do if they suspect a fake email. Even something as simple as a phone call to the client can help stop these kinds of attacks.

Another vertical that attackers are now targeting is using legitimate services to send files. Services such as PayPal, Dropbox, google workspace are now being used by attackers. Since the emails sent from these services are legitimate and not spoofed, they can bypass many traditional checks. The files sent from these services are usually fake invoices or cloud storage login pages. They can also contain fake phone numbers in an attempt to scam staff over the phone, if they call to confirm. In these cases, it is imperative that your staff are aware and question any unusual emails. Cross reference details (e.g. phone numbers) with publicly available information. Have we paid this invoice? Who has this invoice come from? Do I need a login?

There are also sender authentication frameworks that can help verify that emails are coming from legitimate senders. They include SPF, DKIM and DMARC. While these may sound confusing at first, a managed service provider should be able to set these up for you relatively easily. They essentially encrypt a signature in the message header for verification, even when the email is forwarded. They allow other mail servers to better confirm you are who you say you are, they can also increase email deliverability. Over time you are then also able to see how often your domain is potentially being spoofed and used for nefarious purposes.

If you are using Microsoft 365, Microsoft offer Defender for Office 365. This adds additional safety features and scanning to emails you receive. It helps detect malware, virus’s and provides zero-day protection. As they have millions of users and datapoints, they are able to provide industry leading protection through this analysis and Machine learning. Defender for Office 365 includes Safe Links and Safe Attachments.  Safe links scans and rewrites the URL (website link) when the email is received and also when it is clicked in emails, teams and other Microsoft office apps. If there is a threat detected, you will be notified and access will be blocked. Safe Attachments works in a similar way. Before the email reaches the staff member, the attachment is “detonated” in a virtual environment to ensure it is safe to open.

These are just a small handful of the ways you can help protect your business against the growing threat of business email compromise. While some of these solutions may sound complicated to set up, they are well worth the investment. They will give you a good base to build upon in growing your security and cyber security culture. If you don’t know where to begin, reach out to a managed service provider such as FordhamIT. We can help guide you through the process and work with you to implement the best solutions for your business. We are here to help.