In 2020, the accounting department of a financial institution received an email, purportedly from the CEO, requesting that a scheduled $1 million transfer payment be expedited and sent to a new payment account “due to the coronavirus outbreak.”
What the accounting department missed was the email sender’s address, which looked like the CEO’s except with one letter changed. They transferred the money, and a scammer made off with it before the deception was discovered.
The company was the victim of a “business email compromise” scam, an attack similar to phishing that targets business. Such cons were responsible for more than $1.8 billion in financial losses for affected businesses in 2020, according to the FBI’s Internet Crime Report.
To protect their assets from such attacks, businesses need a clear understanding of business email compromise—what it is, how it works, how to identify it, and what steps to take to prevent it from occurring.
What is business email compromise?
Business email compromise (BEC) is a type of cyberattack designed to trick business executives into sharing sensitive information that can be used to defraud companies, especially those that send a high volume of wire transfers. Executives with high-level access to accounting and finance functions are the most valuable targets.
How does it work?
BEC attacks are similar to phishing exploits, where scammers send fraudulent emails claiming to be from legitimate organizations with the goal of stealing personal information such as credit card numbers or computer passwords. Where phishing attacks generally target individuals, BEC attacks use tactics specifically aimed at businesses.
Types of business email compromise
BEC attackers employ a variety of approaches to trick companies, where users ought to be more wary of scams. According to the FBI, some of the most common tactics include:
- Fake Invoices: Scammers send emails purportedly from the organization’s vendors or suppliers requesting payment or fund transfers to a fraudulent account controlled by the scammer.
- Impersonations: BEC scammers send emails that appear to have come from the organization’s CEO, other high-level executives, or even an important outside vendor, such as the company’s law firm. They request immediate transfer of funds to a fraudulent account.
- Account or data compromise: Scammers spoof the email addresses of employees within the organization’s HR or finance departments to request payments from vendors or to obtain the personal information of employees that can be used in other attacks, such as impersonations.
How to prevent business email compromise
1). Learn to recognize them
BEC scams have common characteristics. Once employees are aware of them, it can be easier to spot attacks and mitigate the risks they pose. Among the warning signs:
- Emails that ask for a quick turnaround: These emails tell recipients that an action must be taken before the end of the business day, falsely creating a sense of urgency that can fool otherwise savvy employees.
- Emails that threaten to deactivate an account or shut down service if an action is not taken: Similarly, employees are tricked into focusing on the imminent result of their inaction, without asking questions or investigating further.
2). Tighten email security and controls
BEC relies heavily on quick responses and simplicity. Putting extra security measures in place can guard against email hacks and force employees to stop and consider the request. Two-factor authentication, application-based multifactor authentication, and virtual private networks (VPNs) that use a secure, encrypted connection can reduce the risk from BEC attacks.
3). Improve accounting systems and protocols
Since BEC counts on employee misjudgment, examining certain workflows for vulnerabilities can improve security. For example, after detecting a possible email vulnerability, consider implementing a process to always require verbal approval for large wire transfers.
Once a procedure is established, help employees understand the process and how, when, and under what circumstances deviating from it is acceptable.
4). Foster a culture of openness and approachability
Making sure employees understand the risks of business email compromise, and helping them feel they have the tools to identify them, can help reduce the threat’s impact. Another important consideration is building a culture of communication.
Business email scams thrive on one-sided power dynamics and siloed business structures, where authority is unquestioned and departments don’t talk to each other. When the accounting department feels free to call the CEO to question a dubious transaction, a scam is less likely to work.
Distributed workforces, such as those that have become common during the COVID pandemic, can be a particularly fertile environment for business email compromise scams. As a result, organizations need to invest in their company’s culture of communication.