Business email compromise (BEC) is one of the most prevalent data breach claims we see at Coalition. Put simply, a BEC occurs when an employee’s email account is accessed by an attacker. This usually occurs because of lost, stolen, or guessed passwords.
The impact of a BEC is much wider than a password change or losing access to an account. Email is one of the primary methods of communications for most modern businesses. As such, we rely on email to store personal, confidential, financial, and other sensitive data – often for many years at a time.
Unfortunately, when a BEC occurs, its often not possible to tell exactly which emails are compromised. Why is that important? Because most states have data breach laws that require the victim to notify everyone that has had their personally identifiable information (PII) compromised. If you can’t determine which specific emails were compromised (common), you may be obligated to notify everyone who has PII stored in your mailbox.
That’s not as easy as it sounds, either. In these cases, a forensics firm will download all your email and begin the process of discovering all the data in the mailbox (called eDiscovery). While tools exist for this kind of work, it is still largely a manual verification process requiring many hours of searching and cataloging data. Then, on to the costs of notification!
It’s not uncommon to see a simple Business Email Compromise claim exceed $20k. When you consider the cost of the attorney, incident responders, forensic analysts, breach notification letters, postage, credit protection (in some cases), the costs add up quickly!
How to Prevent Business Email Compromise
Fortunately, there is free and easy way to curb nearly all BEC claims – Multi-Factor Authentication (MFA). We discuss MFA in another article, but briefly speaking, MFA ensures that even if you lose your password, an attacker cannot access your account without your phone or some other device. The best part is, it’s a free solution available with most major emails service providers!
Preventing Business Email Compromise is easy to do and can result in avoiding massive costs and reputational harm. If you’d like more help with this, or any other topic, please reach out! We’re here to help.