The Federal Bureau of Investigation (FBI) has stated that between October 2013 and May 2016, cyber criminals scammed $3.1 billion from over 22,000 victims in at least 79 countries through business email compromise (BEC).
At the core of business email compromise are spoofed emails – communications that have forged headers, addresses or signatures to make them look authoritative and trustworthy. They often request fund transfers or sensitive information that can result in large-scale data breaches.
Business email compromise doesn’t discriminate by company size – the
smallest organisation can be hit just as hard as a large corporation.
Here are five suggestions to help protect your business.
1. Use Sender Policy Framework (SPF)
SPF is a critical tool for differentiating authentic emails from spoofed ones. When you establish an SPF, you can create a safe list of domains that your organisation approves for communication – for example, your own internal domain.
It will then conduct a verification of every incoming email and will
send a warning if the address does not match the approved list of
You can then decide to analyse, quarantine or delete suspicious emails
before they reach their intended destination. A variant of this system
is Microsoft Exchange’s Sender ID.
2. Register domains similar to your own
A common tactic used by cyber criminals is sending emails that look similar to your own – for example, replacing a lower-case L with the number 1. At a glance, this can fool many people into thinking they’re receiving official communications.
One way of preventing this tactic is simply to identify all potential
imitations of your domain, and register them yourself. Make sure you
these registrations on a regular basis, so they can’t be taken over by
malicious entities upon expiry.
3. Add a ‘hard fail’ record
The Australian Signals Directorate (ASD) states that a hard fail record is a core element of preventing spoofed emails. With an SPF, unauthorised email domains can still reach the end user, but with a warning that the message comes from untrusted sources.
By configuring DNS settings to add a ‘hard fail’ record and setting
this to a rigorous action, you can ensure communications from
domains go straight to spam or trash folders. This could also apply to
emails sent from company addresses, but not company servers – another
flag to watch.
4. Educate your employees
Research from the Ponemon Institute and IBM shows that 27 per cent of data breaches are due to staff or contractor negligence . By educating your employees on the dangers of business email compromise, you take a critical step towards prevention.
Train employees on their role in information security and educate them
on email spoofing and spearphishing. Make sure they understand each and
red flag to look out for. You can also implement processes that
mitigate the risk of falling prey to spoofing, such as requiring a phone
or face-to-face confirmation for any financial or informational
5. Use application whitelisting
This addresses a symptom of email compromise rather than the cause, but
is nonetheless important. Application whitelisting is part of the ASD’s
Eight, and entails limiting the applications that can be opened on your
It prevents the possibility of malicious programs from opening, and can
further alert people to potential compromise when they try to open an
a spoofed email.
Get the best for your business
Business email compromise is all too common in Australia, but there are tangible steps you can take to mitigate the risks. Of course, this can be a complex process for businesses that are not well-versed in cyber security – this is where Over the Wire can help.
Our managed security services take over the administrative responsibility for your day-to-day protection and give you 24/7 cover from all manner of cyber threats. Contact our team to find out what we can do for you.
Learn more about the primary areas of cyber risk in our 24 page eBook, IT Managers: Set your Network Defences to Stunning, you can download it here.
 2017 Cost of Data Breach Study: Australia (IBM/Ponemon Institute, June 2017)