Business Email Compromise (BEC) Has Become the One of the Most Financially Damaging Cybercrimes

Business owners should no longer be thinking about cybercrime as something perpetuated by a lone wolf. Cybercrime is now organized crime. Small businesses are the most vulnerable. Business Email Compromise (BEC) is one of the latest and costliest schemes.
What is Business Email Compromise?
BEC is essentially where a cybercriminal spoofs a business email account and pretends to be someone your employees know and trust. They make seemingly normal requests that most people would not question.
These business email imposters do their homework – they research businesses online and use what they find to exploit the business. They get information about managers and employees from social media. They put malware into the company’s computer network, which feeds them all kinds of useful information. So, when they’re ready to strike, everything they do seems normal and legit.
Gone are the days when spoof emails reeked of fraud, and it was much easier to sniff them out. BEC is careful, deliberate, and so well researched, that it takes a great deal of scrutiny to recognize it.
The financial damage can be substantial. Unlike ransomware, where you do have a choice of whether to pay to get your data back (you can refuse), with BEC, it’s more likely that you’re out the money before you realize you’ve been scammed. It may be a large expenditure you were planning on making, but the funds for it were diverted to the criminals.
How Can You Spot a Business Email Compromise?
It’s important to train your employees to be on the lookout for BEC, and to always stop and think before sending any personal or sensitive information out via email. That includes names, addresses, contact info, purchase order numbers, Social Security Numbers, date of birth, etc. Employees in HR, purchasing, accounting, or anyone involved in the company’s financials should be especially vigilant.
The email may be from the CEO, business owner, or manager asking an assistant to purchase gift cards as client gifts – then ask for the serial numbers of those cards. Often BEC scams appear to be from a higher up at the company, requesting an employee to take care of something for them because they’re busy with something else. That may involve a wire transfer of funds.
Or it may be an email that looks like it’s from an employee to HR updating banking information – so that the criminal receives that employee’s direct deposit.
It could be an invoice from a known vendor with an updated mailing address so that the scammer receives the pay instead of the vendor.
With a little awareness, employees can start paying attention to that feeling that’s something’s not quite right and trust their own instincts. Here are some common BEC red flags to watch out for:
- Check the email address
The spoofed email address may have a domain that’s very close to or identical to the domain your business uses. If your company uses the email address @widgets.com, a BEC scam could be using that, or @widgetts.com – something so close you may not notice. If the domain name is correct, is the name also correct? If a normal email address is mjones@widgets.com and you see one from m.jones@widgets.com, that’s a red flag.
- Check the content
A lot of BEC emails are more demanding than legit emails. There may be a sense of urgency, or even a threat. It may be polite, such as “Please take care of this right away so your account won’t be shut down.” Any email that seems oddly urgent should be checked out. Do not reply to the email, but call the sender, using a phone number you already have, not one that’s in the email. Or, start a new email to this person, using the address you already have.
If the writing of the email or the nature of the request just doesn’t sound like something that person would say or be asking for, even if it seems just a little off, trust your instincts. It’s better to take a moment to check with the person sending the email than to fall into a trap.
Protect Your Business from Becoming a Target
Know that your business may be under a cybercriminal’s research, where they’re looking for information they can use to build trust and devise a scheme. Don’t give out information to help them attack you. Follow these best practices when it comes to protection your business from cyber scams:
- Watch what you post
Be very careful about what you post on social media or on your company website. Even seemingly innocent posts like “Happy Birthday Mike! It’s the big 3-0!” With that, they know an employee’s birthdate. All they need to do is find Mike’s last name, likely in the Our Team section of your website, and they have a good nugget of info for their files. Is the CEO traveling to Europe? Well now they know they can use that to create a spoof that she needs funds wired.
- Verify Nothing
Never trust email that asks you to verify information that the sender should already have or does not need to have. If someone needs to verify something, get on the phone.
- Don’t Click or Download
Malware gets into your system when you click a link or download something from a cybercriminal. Before employees click or download, it should policy that they verify the source first.
- Set up Two-Factor Authentication
This is an added security step that can prevent email scams. It requires something in addition to a password to gain access, often a mobile phone number.
- Get Managed Cybersecurity
Cybercrime has become bigger than all of us. No small business can keep up with the latest schemes and still focus on their business. You need a partner in cybersecurity. If you have managed cybersecurity, you have a team of security experts and all the latest technology working to stay ahead of the latest threats, for one low monthly fee.
The best defense against BEC is to have the latest security measures in place before the attack, and security professionals monitoring your system 24/7 watching for suspicious activity. mPowered IT is your go-to proactive partner in keeping IT systems secure and defended. We never leave things to chance or wait for a problem to arise – predicting and preparing for the threats of tomorrow will help ensure your valuable data is protected and your business continuity maintained.
Contact us today at 678-389-6200 to see how we can help you.