How to avoid Business Email Compromise fraud
Keeping a small business going and growing is hard enough without having to deal with malicious attacks from online fraudsters. You want to focus on your customers and goals, but the threats are still out there — and email is a key battleground.
One of the most dangerous threats to email security is now Business Email Compromise, or BEC. But what exactly is it? What are the main threats? And how do you fight them?
What is Business Email Compromise?
Business Email Compromise definitions can vary. Some experts suggest it covers a range of criminal scams, including password hacking and malware attacks. Others see it as purely based on social engineering techniques including tricking an actual person.
What everyone agrees on, though, is that people are the main gateway. It’s more than just tech attack vs. tech defense. People who have access to sensitive information are the primary targets, and there’s a range of ways to trick them — which we’ll cover a bit later.
Is small business at risk from Email Compromise?
We may hear lots about how highly-organized criminals are taking big businesses for millions of dollars, but small to mid-sized businesses are increasingly at risk. Statistics show that 43% of cyberattacks hit small businesses — according to the latest Verizon Data Breach Investigations Report. That number continues to grow, too.
Plus, big businesses usually have equally big bank accounts to dip into should the criminals strike. Smaller businesses don’t have such deep pockets. One successful attack, and there’s less chance of you bouncing back.
Why attack email?
Email is one of the easiest ways for bad guys to grab either sensitive data or money. Those messages we all fire off and receive daily have become so ubiquitous that it’s easy to forget how much sensitive information is stored within them.
Passwords, account info, customer data, business financials… Your inbox is probably a treasure chest of information that fraudsters would love to get their hands on. When you consider that this info might not only be used to defraud you but also your employees, customers, and partners too, it becomes less of a treasure chest and more like an entire bank vault.
Risks associated with Business Email Compromise fraud for small businesses
Whatever your business size, being compromised poses huge risks. However, where big businesses can afford occasional data breaches, smaller companies could find it tougher to bounce back.
If attackers gain control of the email systems of a small business, it could cause the following:
- Financial losses: a hacker can spoof an employee’s email account and pose as them, sending scam emails to colleagues (or even vendors and business partners) asking for money or instructing them to enter credit card credentials.
- Reputational damage: after a business’ email is compromised, the company may seem less trustworthy to its customers. Lack of trust may lead to an inability to attract new customers or maintain good relationships with partners.
- Legal issues: when the business’ email system is compromised, it could be easy for criminals to access customers’ data. If it is leaked or stolen, the business will be responsible for the damage, and could be the subject of a fine or other legal action.
How does Business Email Compromise work?
A typical Business Email Compromise attack will target one or more employees. Essentially it’s a type of targeted phishing scam with the bad guys pretending to be high-level managers, legal representatives, CEOs, or other C-Suite execs — often someone an employee feels they shouldn’t challenge.
The most straightforward type of attack is to create an email address that’s similar to the target company’s domain name or simply hack into the real one. The email then tricks an employee into handing over sensitive data or carrying out a financial transaction — often stating the action is “urgent” and can’t wait. They’re designed to add pressure and exploit our emotions, like fear and trust.
These scams can be very damaging to both large and small businesses alike. Small to mid-size companies increasingly rely on remote team members and contractors, plus regular but small-time suppliers. Not only is email the main form of communication, but the trust that’s implicit within smaller teams and business networks can often mean people act without question.
Types of Email Compromise attacks
Just like cybercrime in general, these types of attack are ever-evolving, but the most common forms you might come across are the following:
- Business Executive Scam: as outlined above, scammers pretend to be high-level execs or legal representatives who need a time-sensitive transfer.
- Supplier Swindle: fake invoices are received via email from what looks like trusted or regular suppliers — except the money will go to the fraudster’s account.
- Account Compromise: a bit like the “Supplier Swindle” in reverse, with an employee’s email being compromised and used to ask for payment from others.
- Data Theft: often targeting HR teams, this approach is designed to get sensitive data such as employee tax or salary details — used for larger future attacks.
Now it’s getting personal
The above examples may be the most common Business Email Compromise cases, but attacks are increasingly incorporating more sophisticated techniques. Criminals are now doing more extensive research on individuals to create clearer profiles, helping them discover the best way to target people through email.
A typical Business Email Compromise example might now involve criminals looking at your social media output. Perhaps they spot that you often attend professional networking events or that you will be attending one soon. That “I’m looking forward to…” post on LinkedIn seemed so harmless, right?
As soon as they know what you like or where you’re going to be, they can email you a fake invite or updated itinerary loaded with links that could compromise your computer — and your company network. Once they’ve broken into your system, just think of the damage they could do with all those email addresses, financial records, and customer details.
How to spot and stop attacks
A big part of Business Email Compromise Fraud protection is to stay alert to the threats that can come via your email, and to train your employees to do the same. Prevention is way better than cure. So it’s essential to be wary of any “urgent” payment transfers, or anyone asking for sensitive data — no matter who they are.
If you think you’ve received a fraudulent email but aren’t 100% sure, here’s a quick checklist to help you make the right decisions:
- Check sender: hover over the sender’s name and check if it’s their legit email address — just because you recognize the name doesn’t mean it’s really them.
- Check recipients: take a look at the number of people the email is addressed to — lots of random recipients could mean a phisher trying their luck.
- Check spelling: scan for obvious typos and errors that wouldn’t normally occur, which can often be a giveaway — especially in official-looking emails.
- Check links: hover over any hyperlinks to check exactly where they lead before actually clicking them — does the destination look right?
- Check attachments: don’t simply open, look for suspicious file names or types — EXE files are common for attacks, as is using ZIP files or RAR archives to hide them.
It’s also very common for these fraudulent emails to come through at the end of the working week. That’s when brains are tired and time is even more sensitive. But a quick DM or phone call to the requester (just to double-check it’s really them) all it takes to verify a request is genuine.
Remember that you may not be the only one targeted, so always report suspicious activity to the appropriate team member or file a complaint with the IC3. Even if you didn’t fall for the scam, someone else might. So don’t simply send scam emails straight to the Trash folder.
The importance of Two-Factor Authentication
One key way of helping to stop the business email scammers in their tracks is through two-factor authentication (2FA). Why is 2FA so important for business email? In a nutshell, because it requires a separate one-time code that confirms your identity while logging in. Often sent via SMS/text, it offers an extra layer of security on top of your username and password. It means your account is far less likely to be hacked and/or then used to scam others.
Make sure you have 2FA set up for your business. Most good email providers should offer this as standard these days. Namecheap, for example, adds 2FA for free with all Private Email packages. But be sure to check it’s available with your current email provider.
In the end, it still comes down to people
People should be every company’s greatest asset. Where business email security is concerned, they can also be the weakest link. That’s why it’s important to not only keep email security tip-top, but to stay vigilant to the increasing amount of threats that can easily hit your inbox and compromise your business.