Road Hazards Ahead for UM Community Cybersecurity

Following the warning signs and taking the right actions is crucial to avoiding one of the most treacherous threats facing organizations today: Business Email Compromise (BEC). This type of damaging cyberattack has been on the rise, targeting universities and individuals alike. Understanding BEC and how to protect against it is essential for maintaining the security of our UM digital community and infrastructure. 

What is Business Email Compromise? 

Business Email Compromise is a sophisticated scam that targets both organizations and individuals by compromising legitimate business email accounts. Cybercriminals use various tactics, such as phishing, social engineering, and malware, to gain access to email accounts. Once they have control, they can manipulate email communications to deceive recipients into divulging sensitive information or gaining access to critical UM systems. 

How Does BEC Work? 

The typical BEC attack follows a series of steps: 

1. Initial Compromise: Attackers often send phishing emails that appear to come from trusted sources, such as colleagues or university departments, to trick recipients into revealing their login credentials. 

1. Account Takeover: Once the attackers have obtained the login credentials, they gain access to the victim’s email account, monitoring it to understand communication patterns and identify potential targets. 

1. Deception and Manipulation: Using the compromised account, attackers send fraudulent emails to colleagues, students, or external partners, which often appear credible because they come from a legitimate account. 

1. Financial Loss and Data Breach: If the recipients fall for the scam, they may transfer funds to the attackers’ accounts, provide sensitive information, or grant access to systems, leading to significant financial losses and data breaches. 

How does UM try to avoid the potholes and icy patches of BEC? 

To safeguard against BEC, UM institutes the following best practices: 

• Education and Awareness: Awareness is the first line of defense. Educating staff and students about the risks of BEC and how to recognize phishing attempts.  

• Multi-Factor Authentication (MFA): Implementing MFA for email accounts and systems to add an extra layer of security. Even if attackers obtain login credentials, they will need a second form of verification to access the account. 

• Email Filtering and Monitoring: Using advanced email filtering solutions to detect and block suspicious emails. Monitor email accounts for unusual activity, such as login attempts from unfamiliar locations. 

What can I do to help protect the UM and my personal information? 

Here are some essential tips to help users avoid falling victim to Business Email Compromise (BEC) scams. 

• Verify Requests Independently: Always verify any email request for sensitive information or financial transactions through other means, such as a phone call or in-person verification. Never rely solely on email for confirmation 

• Be Cautious with Email Addresses: Carefully examine the sender’s email address for slight variations that could indicate spoofing.  

• Limit Information Sharing: Be mindful of the information you share on social media and company websites. Scammers often use publicly available information to craft convincing phishing emails. 

• Be Wary of Urgent Requests: Scammers often create a sense of urgency to prompt quick action without verification. Always take a moment to verify the legitimacy of urgent requests. 

• Report Suspicious Activity: Encourage employees to report any suspicious emails or activities immediately. Quick reporting can help mitigate potential damage and prevent further attacks. 

Business Email Compromise is a serious threat that requires taking preventative and defensive  measures to prevent. As we continue to embrace digital transformation, staying vigilant and informed is key to maintaining a secure and resilient cyber environment at UM. 

IST Communications