Education > Ten ways to combat email compromise

Ten ways to combat email compromise

It's time to take control of your email! Vendor and Business Email Compromise are leading methods that criminals use to fraudulently acquire funds.  Implement the following at your business to reduce your risk and avoid adding to the already $2 billion in losses related to these scams each year.

External email warning

Add a warning message to all incoming emails that are not from your company.  This will help your employees identify emails that may be coming from a look-a-like domain. 

Continuous domain monitoring

Actively Monitor for  new domains that could be targeting your customers or employees.  These sites are could be set up for phishing, emails, or more!  Services like DomainAlarm can provide alerts for this.

Check your spoofing settings 

Ensure your email provider settings for spoofing are strict.  Settings should call out emails where the “From” address is different than the sender.

Enforce DMARC policy

Once you have a policy in place to identify emails that could be malicious, ensure they are going to spam or deleted. 

Education Program

Build a program to educate your users and customers about how your organization will contact them.  This is especially important training for anyone who can submit a payment. 

Implement Phishing Training

Part of defending your company is know weak spots in its defenses.  Running a successful phishing campaign can alert you to individuals that need more training.

Monitor your vendors

Your company isn’t the only trusted to send your employee’s email.  Fraudsters can create domains similar to your vendors and target you.  Make sure you validate email coming from unlikely sources.

Monitor website referers

Sometimes phishing or other malicious websites trying to copy yours will redirect customers to your site.  Knowing where your customers are coming from can help you identify a source that may be the bad guys! 

Set a procedure for payment changes

Predetermine a method for your vendors or customers to change payment details.  No exceptions to this policy should be allowed. This will reduce the chance of social engineering. 

Implement good policies

For those that handle payments, solid policies should be in place.  If they receive an email, ensure they verify the source of that email with an out of band authentication method, like a phone call to a known number for the contact.  This can thwart social engineering tactics.