Phishing and BEC: Protecting Your Organization

Business Email Compromise (BEC) costs companies billions. It hacks people, not computers. Firewalls can't stop a CEO from willingly wiring money to the wrong person.

The Scam Mechanics

1. Spoofing: The attacker registers company-name.co (instead of .com) and emails the CFO. Visually, it looks identical.
2. Account Takeover: The attacker steals a real employee's password (via a phishing link) and lurks in their inbox, reading how they write. When a big invoice is due, they reply as that employee with "updated wiring instructions."

Prevention Strategies

1. Multi-Factor Authentication (MFA): Mandatory. Everywhere. This stops 99.9% of account takeovers. Even if they have the password, they can't login without the phone.
2. External Email Tagging: Configure your mail server (Exchange/G-Suite) to prepend [EXTERNAL] to the subject line of any email coming from outside your organization. If the "CEO" emails you and it says [EXTERNAL], it's a scam.
3. Process Verification: Wire transfers should never be authorized via email alone. Require voice verification (call the known phone number, not the one in the email) for any payment over $500.

Key Takeaway

BEC is a social engineering attack, not a technical hack. The best defense is a combination of technical controls (MFA, Email Tagging) and strict human processes (voice verification). Trust no one, especially not "urgent" emails from the Boss.