What You Need to Know:
You’ve heard the old saying: “Don’t open an email from someone you don’t know.” You assume your employees understand how to spot a phishing scam and won’t click on suspicious hyperlinks or open unknown attachments.
But what if they receive an email that appears to come from your financial adviser, a trusted vendor or even you?
Business email compromise (BEC) has become increasingly popular amongst cybercriminals seeking money and personal information from companies. Scammers target businesses that utilize wire transfers and companies that rely on foreign suppliers and third-party vendors or customers. Impersonating these existing, trusted business relationships makes BEC almost impossible to detect and difficult to manage after the fact.
Today, the U.S. Federal Investigation Bureau (FBI) notes that BEC is one of the most common scams, causing more than $43 billion in losses worldwide since 2016. BEC and related phishing scams are now the greatest cause of data breaches, outpacing ransomware attacks.
Four Methods of Business Email Compromise Scams
The difficulty in detecting BEC lies in the way scammers use existing professional relationships to gain access to a business’ funds or personal information. Criminals use BEC to execute four specific types of scams.
Method #1: Business Executive Scam
Scammers will use an executive’s email address to contact an employee responsible for your company’s finances, requesting a large wire transfer into their fake accounts. Fraudsters will usually indicate that the transfer must be done urgently and quietly. Since most businesses utilize email as their main form of communication between employees and departments, this type of BEC is almost always detected after the transfer occurs.
Method #2: Bogus Invoice Scam
The second method targets your customers or third-party vendors, hoping to collect their money through false invoice requests. Fraudsters can hack into your employees’ emails and send out urgent invoices, similar to the method used with overseas suppliers.
Method #3: Supplier Swindle Scam
The third method targets a company’s foreign suppliers or overseas vendors in hopes of getting wire transfers authorized to a fake account. Criminals hack into a supplier’s email account and request a wire transfer to a “new” account, disclosing that the supplier’s location overseas has moved or changed.
Method #4: Personal Data Scam
Unlike the first three methods, this final method focuses on stealing employees’ personal information. Fraudsters target the human resources’ email accounts to obtain personally identifiable information (PII), specifically W-2 information. Emails are sent from an HR representative’s hacked email account to other employees, asking them to either provide or verify their sensitive information.
Tips to Protect Your Business
Business email compromise scams can have many layers of potential compromise and can impact anyone associated with a business. By following these tips, you can help keep yourself, your employees and vendors in the know about BEC and other business scams:
- Develop and implement a company-wide security awareness program. Make it everyone’s business to protect company information.
- Don’t rely on email alone for transfers. Confirm requests for transfers of funds by using phone verification or face-to-face meetings. Use known phone numbers to authenticate transfer requests and verify the requests in person whenever possible.
- Carefully scrutinize all email requests regarding the transfer of funds. Check for small variations in the email addresses that are out of the ordinary.
- Harden your networks, especially for mobile— Threats to mobile devices may include spyware, unsecured Wi-Fi connections, and even fake networks. As employees use personal mobile devices for business email and other work purposes, cyberthieves often target them to create gateways into your network.