Payment Best Practices: Verify Vendors, Confirm Payment Requests
The best way to combat BEC, according to the FBI, is to first verify you are working with a legitimate vendor. This can be done by only dealing with companies that:
Hold the copyright, trademark, or patent to the merchandise in question Use reputable companies (Best Buy, Staples, etc.) for all purchases Have a physical address, working email and phone number
Once you have decided on a set of selected vendors, the FBI recommends creating a master vendor list; this list should be controlled/updated by someone who cannot also write checks or disperse funds. When a vendor request comes in, invoice information should be compared to the master list. Additionally, invoices over a certain dollar amount should automatically require additional verification — calling the phone number on the official vendor list, contacting a supervisor, or both. Incoming messages from supervisors that have unusual requests or come from outside the traditional communications should also be confirmed through an established channel.
Educate & Prepare Your Workforce With Security Awareness Training
The best way to ensure these vendor payment policies are implemented is to invest in a program that will both educate employees and assess company-wide security awareness. To help you create, implement and enforce an effective BEC policy, InfoSec Institute created SecurityIQ, an awareness training and phishing simulation program. It offers 100s of modules on a variety of subjects tailored to employee role and security aptitude. Topics include phishing, BEC, social engineering and much more. SecurityIQ also lets you create and distribute mandatory security policies through the platform, which employees can be required to sign off on before starting any courses. This ensures they both know about and agree to company requirements. You can also use PhishSim™, the SecurityIQ phishing simulator, to monitor employee phishing susceptibility. It includes 800+ phishing templates in multiple languages and difficulty levels — including 20 BEC phishing simulations. PhishSim is powered by SecurityIQ analytics, so you can adjust simulation difficulty based on your team’s aptitudes, roles and past performance. If your team takes the bait, they will learn exactly what they missed in real time. SecurityIQ analytics will log the event and enroll high-risk employees into additional trainin Additionally, PhishSim recently introduced PhishNotify Defender™, an email plugin that adds a further layer of defense. Any users that fail simulations can have their email permissions dynamically modified so that they cannot click on any further links; PhishNotify also works as a tool for other employees to flag any incoming suspicious emails for quarantine. As a whole, SecurityIQ will provide the training needed to help your workforce identify and prevent BEC attacks. To request a free 30-day SecurityIQ trial, visit securityiq.infosecinstitute.com or call 866.471.0059.
