Understanding Business Email Compromise (BEC): Prevention, Response, and Insurance Coverage

In recent years, business email compromise (BEC) has emerged as one of the most prevalent and costly cyber threats facing businesses of all sizes. BEC involves sophisticated email scams orchestrated by cybercriminals to deceive employees into making unauthorized wire transfers or disclosing sensitive information. The threats are becoming more complex, more targeted, and most importantly, more costly. And the costs extend past dollars and cents – your business’ reputation can be irreparably damaged if you don’t have safeguards in place and if you don’t respond properly in the face of an attack. This article explains what BEC is, how it is implemented, some best practices to help minimize the risk of an attack (including obtaining specific insurance to offset monetary risks), and information on what to do if you’re attacked.

What is BEC?

BEC, also known as CEO fraud or email account compromise (EAC), is a type of cyber-attack in which cybercriminals impersonate a trusted individual, such as a company executive or a vendor, to deceive employees into taking fraudulent actions. These actions often involve initiating unauthorized wire transfers, redirecting payments, or disclosing sensitive information.

How Does BEC Happen?

BEC attacks typically involve several stages:

1. Research and Reconnaissance: Cybercriminals conduct extensive research on the targeted organization, its key personnel, business relationships, and financial processes. This information is used to craft convincing email messages and tailor the attack to appear legitimate.

2. Email Spoofing: Cybercriminals spoof or impersonate the email address of a trusted individual within the organization, such as the CEO or CFO, or a known vendor or business partner. The email may appear genuine, often using similar formatting, logos, and language to legitimate communications.

3. Social Engineering: The fraudulent email contains a sense of urgency or importance, compelling the recipient to take immediate action. This may involve requesting a wire transfer to a fraudulent account, updating banking information, or disclosing sensitive employee or customer data.

4. Execution: If the recipient falls victim to the scam and complies with the fraudulent request, funds may be transferred to the cybercriminal's account, or sensitive information may be compromised, leading to potential financial losses or data breaches.

Preventing Business Email Compromise:

To prevent BEC attacks, businesses can implement the following best practices:

1. Employee Training: Provide regular cybersecurity awareness training to employees to educate them about the risks of BEC attacks, how to identify suspicious emails, and the importance of verifying requests for sensitive information or financial transactions.

2. Email Authentication: Implement email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to detect and prevent email spoofing.

3. Dual Authorization: Establish policies requiring dual authorization or verification for wire transfers and financial transactions, particularly for large amounts or requests made via email.

4. Secure Communication Channels: Encourage the use of secure communication channels, such as encrypted email or secure messaging platforms, for transmitting sensitive information or discussing financial matters.

5. Vendor Due Diligence: Conduct due diligence on vendors, suppliers, and business partners, particularly those involved in financial transactions, to verify their identities and confirm the legitimacy of their requests.

Responding to a Business Email Compromise:

In the event of a BEC incident, businesses should take immediate action to mitigate the impact and prevent further losses. This may include:

1. Suspending Transactions: If a fraudulent wire transfer or payment request is identified, immediately contact the financial institution to halt the transaction and report the incident.

2. Internal Investigation: Conduct an internal investigation to determine the extent of the breach, identify compromised systems or accounts, and assess potential financial and data security risks.

3. Law Enforcement Notification: Report the BEC incident to law enforcement authorities, such as the Federal Bureau of Investigation (FBI) or the Internet Crime Complaint Center (IC3), to facilitate investigation and potential recovery efforts.

4. Customer and Stakeholder Notification: Notify affected customers, clients, and stakeholders about the breach, providing guidance on steps they can take to protect themselves and mitigate potential risks.

5. Enhanced Security Measures: Implement additional security measures, such as multi-factor authentication, enhanced email filtering, and employee monitoring, to prevent future BEC attacks and strengthen cybersecurity defenses.

Insurance Coverage for Business Email Compromise:

Businesses can obtain insurance coverage to mitigate financial losses resulting from BEC attacks through various types of insurance policies, including:

1. Cyber Insurance: Cyber insurance policies typically provide coverage for financial losses resulting from data breaches, cyber-attacks, and fraud, including BEC incidents. Coverage may include funds transfer fraud, business interruption, data breach response expenses, and legal liabilities.

2. Crime Insurance: Crime insurance policies may provide coverage for losses resulting from fraudulent acts, including BEC attacks. Coverage may include employee dishonesty, forgery or alteration, and computer fraud.

3. Cyber Liability Insurance: Cyber liability insurance policies specifically tailored to address liabilities arising from cyber-attacks, data breaches, and privacy violations may also provide coverage for BEC-related losses. Coverage may include legal defense costs, settlements, and judgments arising from third-party claims.

Obtaining Insurance Coverage:

Businesses can obtain insurance coverage for BEC attacks through insurance brokers, agents, or directly from insurance carriers specializing in cyber insurance and related products. Insurance providers will typically assess the business's risk profile, including its industry, size, revenue, cybersecurity measures, and past claims history, to determine coverage options and premiums.

Premiums and Expectations:

Premiums for insurance coverage against BEC attacks will vary depending on factors such as the level of coverage desired, the business's risk profile, industry, size, and claims history. Premiums may be higher for businesses operating in industries deemed high-risk for cyber-attacks or with a history of past incidents. Businesses can expect to pay annual premiums ranging from several hundred to several thousand dollars, with coverage limits tailored to meet the business's specific needs and risk tolerance.

Conclusion:

Business email compromise (BEC) represents a significant cyber threat to businesses of all sizes, resulting in financial losses, reputational damage, and legal liabilities. By implementing robust cybersecurity measures, providing employee training, and obtaining insurance coverage tailored to mitigate the risks of BEC attacks, businesses can better protect themselves against the financial and operational impacts of cybercrime. In the event of a BEC incident, businesses should take immediate action to respond effectively, mitigate losses, and prevent future attacks. If you have any questions about to protect your business or if your business is the unfortunate victim of an attack, call the Business attorneys at MSD Business for a free consultation.

About the Author:

Chase Carpenter is a partner in the Business Division of Law Offices of Moffa, Sutton, & Donnini, P.A.. His practice revolves around business transactions and business litigation. Mr. Carpenter handles a wide range of cases including contract drafting, partnership disputes, commercial leases, and construction litigation. These cases encompass diverse industries, including healthcare, technology, real estate investment, and government contracting.

About the Firm: