Skip to main content

What do you get when you combine a growing industry with thriving businesses? An incredible opportunity for cyber criminals to have success with email fraud.

Overall, the numbers are scary. The FTC states that one in four people reported losing money to scams, with email being the number one contact method for scammers.

Business email compromise takes it to another level. Business email compromise, or BEC, are phishing attacks where the criminal impersonates an employee on staff, usually someone in authority. The email is sent out to employees to try and trick them into releasing sensitive information, wiring payments to unknown bank accounts and sources, thus making it difficult to retrieve the money.

BEC attacks are increasing in popularity among cybercriminals. Statistics show that in 2022, they increased by 81 percent, making them the largest growing threat in this type of cybercrime.

What makes business email compromise so dangerous for a cannabis business is it exploits the trust you’ve built up. You use email for many different functions. And when something comes from the top down, your employees answer. That could cost you everything.

In many cases, BEC attacks move undetected from beginning to end before they’re recognized. That allows attackers to siphon off large sums of money, compromising every business relationship you’ve built up.

And because this looks like it’s coming from a trusted resource, it makes it that much more challenging to find the source. If not found quickly, the damage continues as the attacker accesses more accounts.

Like every potential cyber attack, there are steps you can put in place to thwart the activity before it occurs. Diligence always starts with a plan.

Step 1: Check email addresses

Even the smallest changes can appear legitimate at first glance. I’s become 1’s, and O’s become 0’s. If an email asks for anything financial, it’s always a good idea to verify it comes from the source.

Step 2: Critical thinking

Most employees jump when someone at the top asks for something. But just a moment of critical thinking can lead to second thoughts. Is this how they normally speak in an email? Is this a standard request? When in doubt, check it out. It can save you a lot of time, energy, and money.

Step 3: Use multi-factor authentication

In business, be sure to enable multi-factor authentication in order to access your email. This adds a little more protection against would-be attackers.

Step 4: Monitor the email exchange

Your email exchange server may be very busy with messages, but it’s wise to check frequently for changes to the configuration. Craft rules that alert you to system changes. Create a well-defined process for monitoring the system. It’s one of the easiest ways to be alerted to potential problems.

Step 5: Add banners to incoming messages

When messages come from external resources, add warning messages as a banner at the top of each email. This puts employees on alert as they consider the message. Even with this in place, employees can click, so it’s equally important to be educating them regularly.

Step 6: Create security features to block malicious email

Use features that provide protection against phishing and email spoofing. Companies often buy added security features from their third-party platforms without enabling them. Use every resource you have for an extra layer of protection.

Step 7: Encourage employees to ask questions

Yes, management is often busy. Email verification may seem like a waste of time, especially if it’s truly sent out by management. Training works both ways – if you thank employees for being wary and protecting your assets, you’ll have more security in place. It’s worth the potential risk just to answer a few emails or phone calls.

Step 8: Report all fraud

Don’t chalk any acts of cybercrime up to experience. Report any online fraud to the Internet Crime Complaint Center. This gives them a chance to gain insight into every approach.

What’s Next?

Every day in the cannabis industry, new things are waiting to be learned: new business practices, new relationships to build, and new opportunities to explore. Yet some of them can leave you vulnerable; this is why you need a plan.

Plans don’t have to be complex, expensive, or time-consuming. They can be carefully crafted step-by-step practices that are easy to implement.

But it does start with action. Are your emails protected?

For IT Strategy, Security and Compliance, or Help Desk Services, reach out to us at Cannabis Technology Partners 360-450-4759.