In my previous blogpost, I explained what “Business E-mail Compromise” is and mentioned the main red flags that should trigger attention. In this blogpost, you get to read some practical advice to reduce your vulnerability to become a victim of this fraud and how EASI is armored against it.
Practical prevention advice
Prevention is based on 3 pillars:
1. Communication
Company-wide awareness and feedback loops should reduce exposure to social engineering cons. Every single employee should be aware of this kind of scams, especially those who can perform payment orders. The high level of mutual contact/transparency throughout the firm is key in feeding alertness.
EASI likes to keep a family spirit within the current expansion, and encourages assertivity as the main quality to prevent these type of events. The close distance between colleagues leaves no room for doubtful situations.
2. Procedures
Set safety rules and payment procedures and apply them strictly, in particular the rules concerning signature powers, no matter what circumstances.
EASI has a two-step authentication system for payments in place in the accounting software Adfinity. Strict compliance with the checking & approval of invoices and payments does the trick.
3. Protection
Keep in mind following guidelines:
- Secure your computer via a password, an up-to-date antivirus scanner and a secure Wi-Fi connection. As a progressive IT-company, EASI is right on top of their security, closely watching over updates and guarding their overall security position.
- Do not give away vulnerable company information (hierarchical structure, powers, absences, available cash, etc.). Don’t post the names of the relevant executives on the company website, along with their e-mail address. Any information you share can be used in your own disadvantage. EASI prevent fraudsters to act with sensitive knowledge about the firm and is cautious about what is posted publicly. In case of doubt/slightest suspect, check the identity of the counterparty, the source of the phone calls, and the accuracy of the e-mail address or try to find out which IP-address is used. You can also try to establish other communication channels – such as telephone calls – to verify with the person who gave the command to double-check the integrity.
- Be extra careful when a payment should be carried out into an account number that hasn’t been used before. Check account and telephone numbers via internet search engines to retrieve as much confirmation as possible.
- Don’t give in to pressure. Talk to your colleague or supervisor, even when the utmost discretion is required. If you have any doubt, it is better to take time and check. Accuracy prevails over speed in these kind of situations.
- Never open an attachment or click on a link in an e-mail you don’t trust. You could trigger malicious software, causing damage without being able to stop it. Interrupt any installation you are not sure of by shutting down/unplugging your computer.
- Appoint a central counselor in your firm. Surveys/questions from unknown counterparties (by mail or by phone) should be transferred to a PR responsible and suspicious mail should be reported (certainly not replying on it).
You encounter a real attempt/scam?
- Warn the police. They will report it to the appropriate unit for Fraud and Cyber Crime
- If you made the payment: contact your bank in order to cancel the wire transfer and/or recover (some of) the transferred money
- Warn the innocent persons mentioned in the scam to enable them to act upon it
- File a complaint
Wrapping Up
BEC-mails have been increasing in number and variety over the last 10 years. It’s safe to say this technique is not going away anytime soon - the social engineering power of the CEO's name is too great.
Awareness and systems are an indispensable in the defense. Staff should be made aware of these sorts of e-mails, and given some pointers on the sorts of things that indicate a possible scam. Organizations should also have very clear procedures in place for verifying payment transfers or sensitive information requests, especially via e-mail.
Are you armored to counter these digital attacks?
