Business Email Compromise

Unfortunately, all businesses face the risk of being a victim of fraud. Since businesses heavily rely on email communication to conduct daily functions, this puts them at risk of compromise. Business email compromise (BEC) is one of the most common forms of social engineering attacks. Social engineering is when a cybercriminal uses manipulative techniques to trick people into taking action such as giving them confidential information or sending money.

Cybercriminals hope that employees will trust that a fraudulent email is legitimate and will act quickly to complete the requested task, which enables the fraudster to deploy malicious software, giving them access to sensitive information. In 2021, BEC cost businesses $2.4 billion in adjusted losses. It is crucial that employees be aware of risks and slow down when processing emails. This allows for critical thinking and time to utilize alternative methods for verifying requests. Review the information below to understand how business emails can be compromised and how you can take action to reduce the risk of your business becoming a victim of fraud.

What is BEC

BEC occurs when a cybercriminal gains access to an email account or spoofs an email address an attempt to impersonate the sender. The cybercriminal sends an email that contains a request for sensitive information, or to take action such as processing a payment or clicking a link, allowing the hacker to commit a cyberattack or another criminal attack such as credit card fraud.

What it can look like

• Receiving an email from a compromised account. For example, Person X has been communicating via email about legitimate business with a legitimate client. Several weeks later, Person X gets an email from the same client continuing the conversation from weeks ago with a link to download a business file. The email is from the client’s legitimate email address, but the email is not from the legitimate client because an attacker has gained access to that email account. Once the attacker gained access to the email account, they went through communications, retrieved the conversation, and pretended to be the client to gain confidential information by way of a malicious link. In this case, the cybercriminal has attacked the client and taken over their email to make it seem as if they were following up with additional documentation. If Person X assumes this is legitimate since it is a continuation of a former conversation, and clicks the link, Person X’s computer and accounts could also be compromised.
• Receiving an email appearing to be from your company’s CEO. For example, an employee receives an email claiming to be from their CEO, which requests (or demands) the employee complete a task for them with a sense of urgency or secrecy. The hacker may provide a link asking the employee to send money, provide an account number or credit card number, or to complete a financial transaction on behalf of the company. Since the employee believes the email is coming from their CEO, they click the link or complete the action.
• Receiving an email appearing to be from Human Resources. This could look like HR sending an urgent company update, a policy change notice, documentation about an incident, or any other communication that appears to be high priority. It may contain a link or an attachment that requires you to click or open to review the details of the alert. The document or link is a malicious file, and when clicked, installs malware designed to compromise the email system. Once the malware is embedded in the email system, passwords and deleted files become compromised.

How to protect your business

You can protect your business from BEC by verifying all requests for sensitive data or taking higher risk actions. This can include someone asking for credit card information, changing a vendor payee, or stating that the payment has failed. You can verify said changes by calling the requester directly. Be sure to not call any phone number listed in the email you received. Use only a phone number you know to be legitimate. Also, carefully review the sender’s email address and any links contained in the email, looking for red flags such as misspellings and poor grammar, as these are signs of suspicious activity.

How to recognize a phishing attempt

• Spelling and bad grammar. If an email has spelling or grammatical errors, it might be a scam. Be sure to slow down, stop, and read the email to verify the source before clicking or taking any action.
• Watch for unexpected links or attachments. Hover your mouse over, but do not click the link, to see if the URL address matches the link that was typed in the message. Resting the mouse over the link reveals the real web address. If the link is supposed to be an internal file, but the URL is an external website, that is a red flag that the link is malicious.
• Be wary of urgency or threats. Putting extreme pressure on an individual for a rapid response is a common trick used in phishing attempts. Be suspicious of emails that claim you must click, call, or open an attachment immediately. The scammer is hoping the urgent tone will cause you to click or act without taking time to verify the request.
• Verify sender’s email and verify the sender’s domain. If you do not recognize the email, or if the domain is from a public email provider and not from a company domain, do not send personal information or click on links. For example, company@gmail.com is likely not a valid email from a legitimate company, but if you look briefly, you may miss that this is a fake email. You may not always know, but you should always verify by looking closely at the domain or getting verbal communication from the sender. Do not call the phone number on the email but use a valid phone number associated with the company.

How to protect your email and confidential information

• Create lengthy, complex passwords. Social engineering attackers look for easy ways to hack your passwords. The longer and more complex your password is, the harder it will be for a fraudster to hack. When possible, make your passwords at least 15 characters long and use a combination of letters and numbers. Learn more about creating and managing strong passwords.
• Be aware of the information you share on social media. Social media can be a source for cybercriminals to collect information necessary to gain access to your email accounts. Activity on social media that is fun and seemingly harmless can be an open door to stealing your information. Social media posts that ask questions such as “In what city were you born?” or “What’s your pet’s name?” provide hackers with the exact information they need to answer your security questions to access your accounts or reset your passwords. Social media platforms hold information like birthdays, major life events, or when a business has made a significant change. This could look like posting pictures of a change in jobs. For example, “Goodbye to my hometown of Los Angeles, CA, where I was born and raised. I am grateful to be relocating to Denver, CO, where I will be the director of IT at Denver System Solutions. My dog, Chester, and I are so excited!” Reduce the online exposure of your security question answers by removing personal details from your profiles and consider making your profiles private so that only approved individuals may view them.

Use multi-factor authentication. Implement multi-factor authentication to access your accounts and provide to employees to encourage safe password habits. This adds another layer of security. For example, in addition to entering your password, you are required to input a code you receive through SMS text message at the mobile phone number that is associated with your account. Learn more about multi-factor authentication and creating safe passwords.

To reduce the risk of your business being a victim of fraud, establish a company policy, train employees, and encourage employees to have awareness of cybersecurity best practices.

As your banking partner, we are dedicated to the success of your business, not only through providing business banking products that keep your business operating, but also in helping you ensure both your business and your accounts are secure. Visit our Security Center to learn more.