A Guide for MSPs to Prevent Business Email Compromise (BEC)Home / Email Security, Email Protection and Email Filtering / A Guide for MSPs to Prevent Business Email Compromise (BEC)
Managed service providers (MSPs) are a high target for cybercriminals. Whether your organization provides networking, infrastructure, security, or application services, it is critical for you to secure your business and data centers from business email compromise attempts.
This post will provide valuable insight into BEC, how it works and what you can do to prevent your company from this cybercrime.
BEC is a cyber attack that targets your business emails. The aim of cybercriminals is to defraud manager service providers by compromising your business email accounts and stealing valuable information.
According to the FBI's IC3 report, from May 2018 to July 2019, there has been a 100% increase in business losses due to BEC. The report further identifies 166,349 BEC incidents between 2016 and 2019, costing over $26 billion in domestic and international losses.
As businesses move to cloud-based data processing models, cybercriminals have developed sophisticated scams to take over your business email accounts. This is known as Email Account Compromise or EAC and is used for BEC scams.
You cannot always identify and prevent business email compromise attempts with traditional tools. However, understanding how it works can help you deploy a solution that is right for MSP operations.
There are five common types of business email compromise scams that MSPs are vulnerable to, which are:
In this type of BEC fraud, cybercriminals will hack your business email account and use it to email your vendors requesting payments. These payments go into fake bank accounts instead of your company's account.
An impersonator will pretend to be a CEO or senior executive of an MSP sending out an email to an individual.
For example, a cybercriminal will hack a CEO's email address and send an email to an employee in the finance department asking for a quick money transfer to a client’s account for an important business deal. The unsuspecting employee will oblige and execute the transfer.
Another example is sending out fake invoices to international suppliers acting as MSPs. The cyber attackers will act as a managed service provider requesting suppliers to transfer funds, but the money will go to fake or fraudulent bank accounts.
An attacker can also pretend to be an attorney working for managed service providers and send an email to a junior-level employee requesting information for contracts and other financial details. The unsuspecting employee will fulfill the request and hand over the information that will be further used for other crimes. This is also known as spear phishing.
Malware is software that can gain complete access to your systems or the entire network. The attackers will use this to steal valuable data, including financial account details, login ids, and passwords—the criminals with further use this information to initiate other forms of business email compromise frauds.
Protect your clients from phishing threats with SpamTitan Plus, Anti-Phishing Solution. See how it works today in a FREE demo.Book Free Demo
BEC is a form of attack using various social engineering and impersonation tactics to trick unsuspecting employees of a managed service provider into handover the information. This form of fraud is hard to detect, and you will mostly find out after the scam has been successful.
Hacking MSP's email accounts and creating lookalike emails and domain names are the common methods criminals use to trick targets into abiding by the malicious requests.
For example, your company's name is ABC, and the domain you use is xyz.com. Therefore, your email is email@example.com. The cybercriminal may play with words a little bit and create a similar email id that looks like firstname.lastname@example.org or email@example.com.
An unsuspecting employee working for MSP may simply read the email without looking at the domain and fulfilling the email's request, costing you thousands or millions of dollars.
In an EAC attempt, a cybercriminal gains access and control of your legitimate business address, and the consequences can be severe. Because not only do they have access to your sensitive information and correspondences, but they can also use the legit email id to send emails to business partners, vendors, and customers for financial frauds.
A BEC scam occurs in four stages which are:
Sign up for a FREE Demo of SpamTitan Plus to see how it works with our MSP Partner Program and how it prevents BEC attacks.Book Free Demo
If you are a managed service provider, you will require several safeguards to prevent any BEC and EAC attacks. As BEC and EAC target the email addresses, you must secure the following:
Business Email Compromise Training
Your employees will play a vital role and be your first line of defense to prevent any BEC attacks. Therefore, you must train your employees to identify the following.
Make it a habit to first check the email address and domain names. Managed service providers can avoid most frauds by simply checking the email sender’s name and domain it was sent. This is where you can use solutions such as domain authentication, email security, account protection, and content inspection solutions to identify potential BEC threats.
Attackers would not want anyone to suspect a BEC attack or fraud attempt. Therefore, they would ask the recipient employee of a managed service provider to maintain the confidentiality of the request mentioned in the email. Any such request is a potential BEC scam.
You must always look out for spelling and grammatical errors in emails. The sentence structure seems off and feels as if a non-native speaker has written the email; it is most likely a false one.
If a CEO or CFO sends an email to an employee to bypass protocols and carry out a task on an urgent basis, this is another red flag and must be treated as a business email compromise attack.
Train your employees to question any unusual requests from senior management employees. For example, if an accountant receives an email from a CEO to transfer the funds immediately into a client's account. This is a red flag, and the recipient employee must treat it as a potential BEC or EAC attack.
Some additional tips for managed service providers are as follows:
If you are managed service providers without any BEC prevention protocols, we at TitanHQ can help. We offer SpamTitan Plus+ comprehensive anti-phishing protection to prevent any BEC and EAC attacks. Book a free SpamTitan Plus+ demo to see it in action with our expert and ask any questions you may have regarding the protection of your MSP business.
Protect your clients from phishing threats with SpamTitan Plus, Anti-Phishing Solution. See how it works today in a FREE demo.