The FBI’s Internet Crime Complaint Center issued an advisory in the summer of 2019 warning of an increase in a type of fraud called a Business Email Compromise (BEC). A BEC scam targets employees with access to company finances such as your accounts payable department. For example, a typical BEC scam looks like an email from the company’s CEO to an employee in accounts payable to make a wire transfer into a bank account that appears to belong to one of the company’s trusted partners. Unfortunately, the email and the bank information are all phony, and the accounts payable employee ends up sending money to the criminals. The FBI found that BEC attacks are up by 1,300% with companies large and small defrauded out of over $3 billion dollars. Unfortunately, because Microsoft Office 365’s Outlook email client is so popular, the majority of BEC victims are Outlook email users.
So, as 2019 closes, how can your company protect your Outlook email and avoid falling victim to BEC scams in 2020? Amaxra cybersecurity consultants have three easy to implement tips that can help your business email to stay safe in the new year.
Tip #1 – Create an automated BEC hunting rule for all emails
Exchange Online is the powerful cloud-based email service for Office 365 (and the stellar Microsoft 365 For Business suite). All of your Outlook email messages, calendar invitations, et cetera flow out of the Exchange Online service. You can control which emails coming from the cloud get flagged as potential BEC scams using the administrative controls for Exchange Online in either Office 365 or Microsoft 365.
Scammers often trick users with a BEC attack by using web domains that look like a legitimate company email. For example, scammers know your accounts payable employees get legitimate emails from my.CEO@examplecompany.com and therefore try to trick them using email coming from the similar looking yet fraudulent @example-company.com domain.
In Exchange Online, you can create a rule that hunts for and automatically flags emails from similar-looking domains that are coming into your inbox.
To set up these email rules on a company-wide basis, follow these steps:
- Sign into Office 365 (or Microsoft 365) using your administrator account, and then choose the Admin tile.
- In the admin center, choose Admin centers/Exchange.
- Go to Mail flow > Rules and create a new rule for all senders where The sender’s domain is and manually add in web domains that are similar to your own. If you don’t see the full list of rules, clicking More options > The sender under Apply this rule if.
This is the simplest way to accomplish setting up a rule, but seasoned Office 365 admins can use PowerShell commands (which we recommend everyone should learn more about) to have more granular control over this process.
Tip #2 – Set up multi-factor authentication
Amaxra has blogged in the past about the importance of using multi-factor authentication, and the protection it affords also works against BEC scammers. In our example of an accounts payable employee receiving an email from “the CEO” to wire a sum of money, multi-factor authentication stops the scammers cold. A policy where a phone call to the CEO is the most low-tech form of multi-factor authentication but it works.
If the scammer already compromised the accounts payable employee’s login, then consult with the maker of your accounting software on how multi-factor authentication can be used to confirm requests for transfers of funds. Amaxra recommends that you train employees in this situation to only use previously-known phone numbers rather than a phone number provided in the email request. For obvious reasons, your multi-factor authentication would be useless if the accounts payable employee called a phony phone number supplied in the scam email. To see a short video showing you how to configure MFA, see our October TechTalk .
Tip #3 – Review and improve your security posture with Microsoft Secure Score
For businesses who have Microsoft 365 rather than just Office 365, we recommend using the admin tools to assess your company’s Microsoft Secure Score. Microsoft Secure Score is found in the Microsoft 365 Security Center dashboard and provides a measurement of your organization’s overall cyber-security. The “score” is a number based off a scan of your company’s apps and other cloud-based data. This provides you with an easy to understand baseline to work from and a list of actionable recommendations to shore up your cyber-security.
Protect your company against cyber-crime in 2020
While our three cyber-security tips are a good first line of defense, stats point to cyber-crime worsening. The world’s largest nonprofit association dedicated to IT security, (ISC)2, reports that businesses faced a massive cyber-security workforce shortage in 2019. Given the sheer volume of attacks most businesses are facing, the severe shortage of experienced cyber-security professionals will likely get worse in 2020.
Start the new year off with an improved cyber-security posture. Let Amaxra’s cyber-security consultants analyze your company’s current IT security. Our cyber-security experts will work with you to craft strategies for protecting your business against BEC, phishing, malware, and other cyber-attacks.
Contact me at firstname.lastname@example.org or call 425 749 7471 if you have any questions or comments on this blog.
Limited time offer: Let Amaxra manage your Office 365 licensing and we will configure security such as multi-factor authentication at no additional cost. Email email@example.com or chat with us on this website to find out more.