On 22, February 2024, the New Straits Times (NST) reported that a manufacturing company lost RM464,400 after its business email was compromised.
This is known as a business email compromise (BEC), which is a form of cyberattack in which financially motivated bad actors trick unsuspecting executives and employees into sending money to fraudulent accounts.
What happens?
This incident happened when the company wanted to purchase RM464,000 worth of palm oil from its regular supplier.
The company accountant received an email from the supplier instructing them to transfer the payment to a second bank account.
However, she complied with the instructions as they were familiar with the supplier and had a long-term business relationship.
When the accountant realised the bank account given did not belong to the real supplier, she lodged a police report.
Our Advice
It’s clear that the company’s business email was compromised, and the scammer used this opportunity to use fraudulent accounts to receive money.
Avoiding business email compromise (BEC) involves a combination of technical measures, employee training, and vigilant monitoring.
Here are some steps to help prevent BEC:
Technical Measures:
1) Multi-Factor Authentication (MFA):
– Require MFA for all email accounts, especially for accounts with access to sensitive information.
2) Email Filtering and Security:
– Use advanced email filtering solutions to detect and block phishing emails and malicious attachments.
– Implement DMARC, DKIM, and SPF to help prevent email spoofing.
3) Regular Software Updates:
– Ensure all software, especially email clients and web browsers, are up-to-date with the latest security patches.
4) Secure Password Policies:
– Enforce strong password policies and regular password changes.
– Discourage the use of the same password across multiple accounts.
Employee Training:
1) Phishing Awareness:
– Conduct regular training sessions to help employees recognize phishing attempts and suspicious emails.
– Use simulated phishing exercises to reinforce training.
2) Verification Protocols:
– Establish protocols for verifying the authenticity of email requests for sensitive information or financial transactions, such as confirming requests through a secondary communication method (phone call, in-person).
3) Reporting Mechanisms:
Encourage employees to immediately report suspicious emails or activities to the IT or security team.
Monitoring and Incident Response:
1) Monitor Email Accounts:
– Regularly monitor email accounts for unusual login attempts or suspicious activities.
– Use logging and alerting mechanisms to detect potential compromises.
2) Data Encryption:
– Encrypt sensitive data in transit and at rest to protect it from unauthorised access.
3) Incident Response Plan:
– Develop and maintain an incident response plan specifically for BEC incidents.
– Ensure employees know the steps to take if they suspect a BEC attack.
Vendor and Partner Security:
1) Vendor Risk Management:
– Assess the security practices of vendors and partners, especially those with access to sensitive information or systems.
– Ensure vendors have robust security measures in place to protect against BEC.
Regular Audits and Assessments:
1) Conduct Regular Audits:
– Perform regular security audits and assessments to identify and address vulnerabilities in your email system and overall IT infrastructure.
2) Penetration Testing:
– Conduct penetration tests to simulate BEC attacks and identify weaknesses in your defences.
By implementing these measures, organisations can significantly reduce the risk of falling victim to business email compromise.
Condition Zebra provides Cybersecurity Solutions and Cybersecurity Training for public and private SMEs in various industries, Financial Services (Banks and insurance), Government Ministries and agencies, and Government-linked companies.
At Condition Zebra, we specialise in tailor-made cybersecurity solutions designed specifically for businesses like yours. Our services include:
- Penetration Testing
- Source Code Review
- Social Engineering Testing
- Managed Security Services
- Security Awareness Training
Source:
Company loses RM464,400 in email scam
OpenAI. (2024). ChatGPT
Share this: