In recent years, email has become essential to our daily lives. Believe it or not, the amount of emails sent is still increasing, even with the popularity of other communication channels such as WhatsApp and Slack. With the increasing dependence on email, a significant cyber threat facing school staff today is Business Email Compromise (BEC).
Why is it important to pay particular attention to BEC attacks? Because they’ve been on the rise. BEC attacks jumped 81% in 2022, and as many as 98% of staff fail to report the threat.
What is Business Email Compromise (BEC)?
Firstly don’t stop reading as I’m using the term ‘Business’ Email Compromise 🙂 This is a MASSIVE threat to schools. Business Email Compromise (BEC) is a scam in which criminals use email fraud to target victims. They mainly target those who perform wire transfer payments, so it’s essential for school back-office admin staff. For international schools, it often takes the form of school fee fraud, where parents are targeted to send fee payments to bogus accounts.
The scammer pretends to be a supplier to the school, or if targeting parents, pretends to be the school itself. These emails request them to make payments or transfer funds in some form.
According to the FBI, BEC scams cost the victims around $1.8 billion in 2020. That figure increased to $2.4 billion in 2021. These scams can cause severe financial damage to schools and harm their reputations.
How Does BEC Work?
BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target school and its staff. They learn about the school’s operations, suppliers, school fee billing cycles, and partners.
Much of this information is freely available online. Scammers can find it on LinkedIn, Facebook, and, most commonly, on schools’ websites which often give much information. Once the attacker has enough information, they can craft a convincing email. It’s usually designed to appear to come from a trusted partner of the school or, as I mentioned above, from the school itself if parents are being targeted.
The email will request the recipient to make a payment or transfer funds. The email often contains a sense of urgency, compelling the recipient to act quickly. The attacker may also use social engineering tactics, such as posing as a trusted contact, or often create a fake website that mimics the school’s site. These tactics make the email seem more legitimate.
If the recipient falls for the scam and makes the payment, statistically, the money is almost always unrecovered.
How to Fight Business Email Compromise
BEC scams can be challenging to prevent. But there are measures schools can take to cut the risk of falling victim to them.
Educate School Staff
Schools should educate their staff about the risks of BEC. This includes providing training on identifying and avoiding these scams (contact Appsevents. We can help :)). Staff should be aware of the tactics used by scammers—for example, urgent requests, social engineering, and fake websites.
Training should also include email account security, including:
- Checking their sent folder regularly for any strange messages
- Using a solid email password with at least 12 characters
- Changing their email password regularly
- Storing their email password in a secure manner
- Notifying the Tech Director or IT staff if they suspect a phishing email
Enable Email Authentication
Schools should implement email authentication protocols.
This includes:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
These protocols help verify the authenticity of the sender’s email address. They also reduce the risk of email spoofing. Another benefit is to keep your emails from ending up in junk mail folders.
Deploy a Payment Verification Processes
Schools should deploy payment verification processes, such as two-factor authentication. Another protocol is confirmation from multiple parties. This ensures that all wire transfer requests are legitimate. It’s always better to have more than one person verify a financial payment request.
Check Financial Transactions
Schools should check all financial transactions. Please be sure to look for irregularities, such as unexpected wire transfers or changes in payment instructions.
They can easily get forgotten if you don’t perform these according to a schedule. Set up a calendar item for the review of financial transactions. Use a program that makes sense for your transaction volume.
Establish a Response Plan
Schools should establish a response plan for BEC incidents. This includes procedures for reporting the incident. As well as freezing the transfer and notifying law enforcement.
Use Anti-phishing Software
Schools can use anti-phishing software to detect and block fraudulent emails. These tools become more effective as AI and machine learning gain widespread use. Specifically, if your school is using Google Workspace, you should definitely be using the upgraded Workspace Education Plus, which includes a fantastic security sandbox that is a huge help in fighting phishing (we can set up a free trial and walk you through the advanced security features)
Need Help with Email Security Solutions?
Money only takes a moment to leave your school bank account and be virtually unrecoverable. Don’t leave your emails unprotected. Please feel free to message me with any questions. I’m always happy to talk.
—
