10 Best Practices To Avoid BEC And CEO Fraud Attacks

by | October 26, 2021 | How to, ATTACK Simulator Guides

In today’s heavily digitalized world, BEC and CEO fraud attacks can result in massive losses, and no company is safe. Scammers might make yours their next unlucky target.

But not to worry. We’ve got you covered with our list of 10 best practices to prevent BEC and CEO fraud attacks.

What Are BEC And CEO Fraud Attacks?

BEC is a cyberattack in which a hacker illicitly obtains access to a business email account and impersonates the rightful owner to trick the company and its employees, customers or partners, into transferring money to the scammer’s account.

A CEO fraud scam is a very similar type of attack but is not limited to the definition above. For example, gift card scams are associated with CEO fraud, and they are virtually impossible to trace once they’ve been sent out. However, these phishing attacks might not necessarily be CEO-specific. For example, cybercriminals can pretend to be HR managers. The employee has even less suspicion when the sender is someone lower in the company and closer to their rank.

Top 10 Anti BEC And CEO Fraud Attacks Security Practices

1. Train your employees to spot these common impersonation strategies

Domain name spoofing – this method consists of hackers spoofing the sender’s “Mail From” to match the target’s domain in the message envelope or using a real domain name in the “Mail From” value but using a spoofed “Reply-To” domain in the header.

BEC and CEO fraud attacks often use spoofed emails.
Example of a spoofed email impersonating HSBC Bank. Credit: MDaemon Technologies

Upon a quick examination, the email header reveals a return-path address unassociated with the “From” address. So, by replying to the message, you’d write to frank.thomas@example.com instead of HSBC Bank.

Credit: MDaemon Technologies

Display name spoofing – it is by far the most common BEC technique. The scammer registers a free email account that often contains the name of a company executive. Then, they configure the displayed name to match your CEO or other executives and send phishing emails from this address. It works because employees often only look at the display name and don’t check the real email address.

Example of Display Name Spoofing. Credit: MDaemon Technologies

Lookalike Domain Spoofing – this method involves registering bogus domains with names that contain characters similar in appearance to others. Attackers then use these domains to send phishing emails. Without paying enough attention, the recipient will think the message is from a legitimate domain.

Business Email Compromise email using lookalike domain. Credit: MDaemon Technologies

Compromised email account – this is another method commonly used by scammers. It entails the use of hacked legitimate email accounts to exfiltrate information or steal money.

2. Claim the name

It’s highly advisable that you register all domain names similar to yours to avoid attacks that use lookalike domain spoofing.

3. Oversharing is NOT caring

Be wise about what you post on social media platforms, especially job titles, company structure data, and out-of-office information.

4. Use SPF, DKIM, and DMARC

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing and email authentication tools. Ensure your domain has valid SPF, DKIM, and DMARC records and that your mail server/provider analyzes all inbound traffic with these tools. 

5. Enable TFA

TFA (two-factor authentication) requires the user to provide two forms of authentication – a password and verification code, a fingerprint, or another form of verification.

6. Ditch the “123” type of password

Implement policies regarding passwords and require regular password changes in your company. A strong password must:

  • Meet a minimum length requirement.
  • Contain both letters and numbers.
  • Contain both lower and upper case letters.
  • Not contain a full name or a birthday.
  • Never use common passwords such as Password1, Password123, Letmein, and so on.

7. Beware of the unknown

While it’s a good thing to step out of your comfort zone and into the unknown from time to time, this doesn’t apply to when you receive emails from unknown senders. Don’t open them, click on links, or download the files attached. When in doubt, flag the message and report it to the company’s IT security team.

8. Establish strict wire transfer rules

Before acting on a wire transfer request, check the identity of approved vendors and the authenticity of the invoice attached thoroughly. To be safe, confirm in person or by phone using previously known numbers or ones that you can find on the vendor’s official website.

9. One antivirus run a day keeps the bad guys away

Okay, you don’t have to run the antivirus software every day. But make sure you do run it frequently and regularly and always keep it up-to-date.

10. Provide security awareness training for your employees

While conventional security practices such as technological defenses and email filters can be effective, security awareness training for your staff is vital to avoid falling victim to BEC and CEO fraud attacks.

Asides from BEC and CEO fraud, there are numerous types of phishing waiting to prey on the perfect unsuspecting employee in your company and launch a devastating attack. Over one billion phishing emails are sent out each day, and many of them bypass security filters. Thus, you need to be able to rely on your employees to stay vigilant and spot phishing scams.

Researching the latest phishing trends and strategies and adequately training your employees can be a hassle, so leave it to professionals.

Here are a few perks of choosing ATTACK Simulator:

  • Automated attack simulation – we simulate all kinds of cyberattacks.
  • Real-life scenarios – we evaluate users’ vulnerability to give away company or personal data using realistic web pages.
  • User behavior analysis – we gather user data and compile it into extensive reports to give you a detailed picture of your employees’ security awareness level.
  • Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
  • Interactive lessons – if employees fail to recognize our traps and fall into one, they will discover lessons on the best security practices.
  • Brand impersonation – we impersonate popular brands to make the phishing simulations all the more realistic.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.

Put your employees to the test with our free security awareness training trial and determine where you stand against a phishing attack!


Feature Image: Photo by Marina Zaharkina on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.