Understanding Business Email Compromise

In today’s digital world, email is the backbone of business communication. However, it’s also a prime target for a growing threat known as Business Email Compromise (BEC). This is a type of cyberattack where criminals impersonate trusted figures within an organization, such as executives, employees, or vendors via email. Their goal is to defraud the company into transferring money to the criminal. How big of a problem is this? The FBI called it a $43 billion scam!

This year alone there have been numerous BEC cases recorded. These have led to personal bank accounts being stolen and dealership information being compromised.

In every case, two aspects remained common – communications were solely via email and email security was weak. Most attacks begin as a phishing email, which prompts a user to give away login credentials. With this information, the attacker is able to immediately log in as the original user. Once they do that, they can bypass multi-factor authentication and go undetected.

5 Tips to Protect Your Dealership

So, how can your dealership reduce the risk of falling prey to BEC attacks? We need to address people, processes, and technology:

1. Payment Account Change Verification: Establish clear internal rules that require careful verification before any accounts are changed or funds transferred. Require your team to validate the request through a secondary communication, such as a phone call using a number obtained outside of email (e.g. a directory or vendor invoice).
2. Defense with MFA: Activate MFA for all email accounts to add an extra layer of security, making it significantly harder for attackers to gain unauthorized access. Although MFA can be defeated, it greatly raises the bar for the attacker.
3. Login Protections: Setup strict email log in rules. For example, in Microsoft 365, there are “Conditional Access” features that act as a firewall for email, governing where a user can log in from. One could restrict log ins from certain locations and even how often to prompt for MFA. The higher licensing tiers also provide better security options for fraudulent log in activity. Talk to your IT department or provider on whether these higher levels of security have been enabled, and whether suspicious log ins are being monitored for.
4. Warning Banners: Setup your email system with warning banners that are shown to the user if an email originated outside the company, or if it is the first time someone has sent them an email, which is useful in detecting spoofs.
5. Security Awareness Training and Vigilance: Regularly educate your team about BEC and phishing threats. Train them to recognize common tactics used by scammers and emphasize the importance of correctly handling suspicious emails. This will empower your team to monitor for suspicious activity and address it in a timely manner.

BEC and payment fraud are genuine threats to dealerships today. By following the suggestions above, you can significantly reduce your risk and protect your organization. Take time to reflect on your own organization and consider what additional trainings, policies, and tools your business could implement to better protect you and your customers’ information.