The General Manager for Microsoft’s Cybersecurity Solutions Group predicts that one of the major challenges of 2019 will be Business Email Compromise. Yes, it’s BEC again. In case you’re unaware, BEC is a fraudulent request for money or valuable information. The request appears to be from a person within your company. For example, the Accounts Payable receives an urgent request from the CEO to pay a vendor invoice. Perhaps the CFO gets an email from the CEO asking that he/she wire money for an upcoming acquisition and to keep it hush hush. Or the CEO requests HR or Payroll send all employee W-2s through email. These scams are very successful — after all, who is likely to question the CEO? Unfortunately, in these scams, the requester is a fraudster impersonating the CEO using a different email address or has gained access to his/her email.

The FBI has an entire website dedicated to Internet Crime and BEC. The FBI’s Internet Crime Complaint Center (IC3) received close to 16,000 BEC, or Email Account Compromise (EAC), complaints in 2017, totaling $676 million in losses.

One way to defend your bottom line is through well-defined procedures and training. At Cyber Safe Workforce, our business is security awareness training. However, we recognize the importance of having clear and precise information- and financial-handling procedures. With such procedures in place, you can train employees to handle information and money appropriately so that BEC scams fail to be successful. Make sure employees see the connection between good information-handling procedures and safety from BEC. They should understand the importance of their role in protecting the organization.

It’s important that top leadership also be aware of these scams. Create a culture that encourages employees to verify requests that aren’t made in person or that seem suspicious. Allow employees to take an offline verification step such as calling/texting the requester or other point of contact if the CEO or other senior leadership is unavailable.

As 2019 kicks off, it behooves you to review your information and financial handling procedures. If payment or other valuable information requests are being made over email or other messaging, implement an offline verification step. Educating the gatekeepers of financial (Accounts Payable, Payroll) and other sensitive information should be at the top of your to-do list when it comes to cyber security awareness.