Are you familiar with Business Email Compromise or "B-E-C Scams?"
B-E-C scams are in the news regularly and it's very likely that a vendor or your IT director have mentioned it to you once or twice, possibly leaving you thinking:
"Why would a scammer target me?
My company doesn't fit the profile of Equifax or Home Depot, no one is going to target my business."
Well, if these were your thoughts, I have to tell you: You are mistaken. This issue is so critical that it should be at the top of every business' threat assessment list no matter its size or industry. In fact, many forensic and IT professionals describe the threat as a "when" it happens – rather than an "IF" it happens type threat.
For these reasons, I'd like to share with you what you can do to be BEC Scam-ready:
Get educated. Stay on top of the trends in how scammers are attacking businesses from cyberspace. The FBI's website is a great resource to check regularly.
Assess where your largest vulnerabilities are to the common schemes. To answer this question, collaborate with your IT staff or third-party vendor as well as your accounting team, and examine the following questions:
- Do you have longstanding relationships with your customers and vendors? Are you paying or accepting payment by wire transfer?
- Do you have written policies and procedures to ensure that you are regularly training employees on how to handle irregular or changed payment instructions?
- Who has access to your IT infrastructure and how is that access audited and safeguarded from intrusion?
- How vigilant and aware are your staff to potential BEC threats?
Lastly: Put in place cost-effective safeguards against potential cyber threats.
- Invest in training your accounts payable teams and management to spot B-E-C scams.
- Put in place policies and procedures that empower your employees to critically review and ask questions when red flags are raised.
- Investigate cyber-insurance that covers both business interruption and the potential for business loss in the event of a B-E-C Scam.
- And, always plan for the worst-case scenario. For example, determine how your company will respond if your servers are locked down by ransomware. And who will you contact if you're A-P team is duped by a B-E-C scam and accidentally wires $100,000 overseas?
Continuous education, a thorough risk assessment, and implementation of targeted safeguards will go a long way to prevent future cyber-attacks on your company and mitigate damages if an attack is successful.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.