For quite a few years, malware like ransomware, phishing, Denial-of-Service (DoS/DDoS) attacks, and Man-in-the-Middle (MitM) attacks were among the top cyberattacks. But since last year, business email compromise has been the leading cause of financial losses from cybercrime.
BEC, or business email compromise, is a type of social engineering scam. Cybercriminals use this tactic to trick employees into giving them money or sensitive company information by impersonating a trusted person, such as a known vendor.
The stakes are high. In 2023, the FBI’s Internet Crime Complaint Center (IC3) received over 21,000 BEC complaints from the American public, which resulted in losses totaling nearly $3 billion.
For financial institutions, where trust and security are everything, preventing BEC is important for protecting customers and reputations. In this article, we’ll share how you can build strong defenses. Dive in, then!
#1 Strengthen Email Security with Layered Defenses
A single security tool is not enough to block modern BEC attacks. Hackers are always testing new tricks to get around filters, so financial institutions need to think in layers.
In December 2023, around 9.45 million phishing e-mails were detected worldwide. To safeguard from this, you need a trio of email security standards that function together to verify the legitimacy of an email’s origin. These include SPF, DKIM, and DMARC.
Sender Policy Framework (SPF) lists all servers approved to send emails from your domain. The receiving email server checks this record and flags emails if they originate from an unapproved IP address.
DomainKeys Identified Mail (DKIM) acts as a digital signature. This ensures the message has not been altered in transit and came from the claimed domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) tells the receiving server what to do if an email fails the SPF or DKIM checks.
Implement multi-factor authentication, too. For financial institutions, MFA is a highly effective way to deter fraudulent online activity. It requires users to provide two or more distinct credentials to verify their identity before gaining access to an account or network.
#2 Tighten Internal Controls for Financial Transactions
Technology is only part of the solution. Your internal processes are just as important. Tight internal controls stop scammers from getting your money. The implementation of a dual approval or dual authorization process is a cornerstone of these controls.
This is a simple yet effective mechanism where two employees are required to authorize a financial transaction. One employee initiates the request, and another employee reviews and approves it. This creates an additional layer of protection against a variety of threats, including internal fraud and manual errors.
For large wire transfer requests, be sure to verify the sender’s identity to prevent fraud. Fraudsters often create a sense of urgency through emails, demanding an immediate response.
Verifying identity through documents like IDs and passports can help confirm whether the request is made by a scammer. According to AU10TIX, common methods for verifying documents include using optical character recognition (OCR), barcode scanning, and machine learning algorithms.
Don’t rely on verification by staff. Use a reliable documentation verification service. These often use advanced technology that accurately captures, validates, and standardizes data from documents. This improves the security and reliability of the identity verification process.
#3 Train Your Employees to Spot Social Engineering Attacks
Did you know that employees are responsible for nearly 28% of BEC attacks? You can reduce the likelihood of a BEC attack if you train employees regularly.
Criminals use social engineering tactics to trick employees into revealing passwords or granting access to critical systems. In 2023, BEC attacks accounted for over 10% of all social engineering attacks, and that number is expected to continue rising.
Training helps employees pause, think critically, and question anything unusual. Show them how to confirm suspicious requests using a trusted secondary channel, like calling the sender directly instead of replying to the email.
Walk through real-life phishing examples, so they can spot common warning signs, like slightly misspelled domains or unexpected attachments that pressure them to act fast.
Keep training engaging and ongoing. Short refreshers and simulated phishing tests are especially effective because they build skills without overwhelming staff. Most importantly, foster a culture where employees feel confident reporting suspicious emails without fear of blame.
Building A Culture of Security
Business email compromise is one of the most costly and stressful challenges financial institutions face today. It’s sophisticated and fast-moving and can slip through the cracks if you’re not careful.
There is no foolproof way to prevent BEC attacks. But taking reasonable precautions can make you a less appealing target for criminals, who will simply move on to look for an easier opportunity.
So, put these strategies into practice and you can build a strong shield against BEC attacks.
