Business Email Compromise (BEC) attacks are so successful precisely because they don’t rely merely on technology.

The strength of BEC attacks in perpetrating invoice hijacks and similar scams lies in exploiting human vulnerabilities of ignorance or presumed trust.    The attackers in these scams are able to pass themselves off as actual employees, senior executives or vendor contacts.

The scams are sophisticated.  They are time-consuming to set up.  But the sums of money at stake can pay handsome dividends when a scam is successful.

Many organisations rely on their IT team to protect the corporate network and keep them safe from cyber-attack.   But this is a cyber-enabled scam that evades cyber-security.

As highlighted in The Anatomy of a Scam, attackers often use the compromised accounts of suppliers to deceive a victim into making payments into bank accounts that they control.    The emails get through the defences and area actioned because they contain all of the same properties as the legitimate email:

  • The sender is a legitimate sender
  • The content is as expected
  • The patterns of language are picked up from previous messages and therefore look normal

Firewalls and security software can detect and block attacks like malware.  But good old fashioned deception easily evades technical algorithms. Cyber-security and email security software that relies on scanning the content and authenticating the senders of email cannot provide full protection.  The challenge in preventing a sophisticated scam is that real emails look identical to the fraudulent email.

The appearance of legitimacy is total and all too often the ploy accomplishes the goal.

Your Organisation is Not Defenceless

The most important elements in your defence against a BEC or Invoice Hijack attack are people and process – enabled by technology.

Preventing a scam that uses the inherent weaknesses of email and the way that we are conditioned to deal with it to deceive us requires a change in process.  And as with any change in process, training and buy-in from people is critical.

We lay out our advice in this article, it can be summarised as:

  • Educate all staff involved in the Accounts Payable process (from raising purchase orders to processing invoices and making payments) about the threats of BEC and Invoice Hijacking
  • Engage with suppliers to whom you make regular payments
  • Devise a new process that takes the exchange of invoices, payment details and financial transactions away from email
  • Use a secure online Vault to create a shared area to enable the process
  • Only use email as a notification and alert tool – thereby taking all of the information that could be used by a fraudster to perpetrate a scam safely out of sight
  • Put in place verification steps – using the capabilities of the secure online vault to identify recent changes

You can’t foil Business Email Compromise with a process that relies on email as the primary tool for sharing the necessary information to complete a transaction.   Taking the request and instruction away from email removes means and opportunity from the fraudster.   To secure the Accounts Payable process, Don’t Transmit!