Education > Ten ways to combat email compromise
It's time to take control of your email! Vendor and Business Email Compromise are leading methods that criminals use to fraudulently acquire funds. Implement the following at your business to reduce your risk and avoid adding to the already $2 billion in losses related to these scams each year.
Add a warning message to all incoming emails that are not from your company. This will help your employees identify emails that may be coming from a look-a-like domain.
Actively Monitor for new domains that could be targeting your customers or employees. These sites are could be set up for phishing, emails, or more! Services like DomainAlarm can provide alerts for this.
Ensure your email provider settings for spoofing are strict. Settings should call out emails where the “From” address is different than the sender.
Once you have a policy in place to identify emails that could be malicious, ensure they are going to spam or deleted.
Build a program to educate your users and customers about how your organization will contact them. This is especially important training for anyone who can submit a payment.
Part of defending your company is know weak spots in its defenses. Running a successful phishing campaign can alert you to individuals that need more training.
Your company isn’t the only trusted to send your employee’s email. Fraudsters can create domains similar to your vendors and target you. Make sure you validate email coming from unlikely sources.
Sometimes phishing or other malicious websites trying to copy yours will redirect customers to your site. Knowing where your customers are coming from can help you identify a source that may be the bad guys!
Predetermine a method for your vendors or customers to change payment details. No exceptions to this policy should be allowed. This will reduce the chance of social engineering.
For those that handle payments, solid policies should be in place. If they receive an email, ensure they verify the source of that email with an out of band authentication method, like a phone call to a known number for the contact. This can thwart social engineering tactics.