Criminals might attack your business regardless of whether you are a small business or a large corporation. Additionally, as a small business owner, maintaining current on scams can be crucial for the success of your enterprise.
Business email compromise (BEC), one of the most financially destructive internet crimes, is listed as a top occurrence type for the year in the FBI’s 2021 Internet Crime Report. Businesses lost approximately $2.4 billion to these frauds in 2021 alone, and there were close to 20,000 complaints in this area.
What Is Business Email Compromise?
Although there are similar types of consumer-focused frauds called email account compromises, business email compromise is a scam that targets corporations rather than people. And while BEC always entails hijacking or impersonating a business email account, there are different ways the scam can manifest.
An executive’s email, for instance, might be hijacked or imitated by the con artist. The fraudster may then request a money transfer urgently from a member of the finance staff in order to have money transferred immediately to their account. Another option is for the “executive” to request that an employee purchase and mail them gift cards, which they can then swiftly redeem or resell.
Criminals sometimes approach BEC scams from a different direction. Instead of directly attacking your company, they might gain access to a vendor’s email account and track its usage. The con artist swiftly impersonates the vendor after sending you a genuine invoice, apologises for a typo in the payment details, and requests that your team make the payment to a different account.
Additionally, BEC isn’t always about the money transfers. Some BEC attackers might be after data about the company or personal information about your personnel, which they can later sell on the dark web or use as the foundation for another assault.
What might occur if you are the target?
Contrary to scam emails that are distributed to thousands of recipients at once, BEC scheme perpetrators frequently launch planned attacks.
For instance, the con artist may squander days gathering information about you and keeping tabs on your use of social media. They might wait until you are at the conference before taking action, and they can use the trip as the justification for a last-minute request. They might write an email pretending to be you asking for a wire transfer immediately because you just signed a contract and need the money now. You might lose tens of thousands of dollars if your team replies.
Scammers are also fast to try out new techniques, much like successful organisations frequently have to pivot to suit changing conditions. The FBI issued a warning in February 2022 regarding the increase in BEC schemes employing virtual meeting platforms over the previous three years. The con artists pose as the CEO or CFO of a business, make a meeting request, imitate the executive’s voice using deep phoney audio, and then demand a money transfer during the meeting or in a subsequent email.
The slightly good news is that BEC scams are more likely to target large corporations than small firms because they usually handle a significant amount of invoices. But it’s still best to be ready.
Train Staff to Recognize Scams
Because they combine technological know-how with social engineering, or the psychological manipulation of a person, many BEC scams are hard to detect. Continuous training might therefore be a crucial component of your protection.
Make sure your staff is capable of identifying warning signs, such as:
There is a similar or alternative reply-to address. Scammers may send emails using addresses that closely resemble the email address of your business, such as ceo@c0mpany.com rather of ceo@company.com. The reply-to address may be the scammer’s email account, but the from address could be made to exactly like your company’s.
Messages that are brief and convey urgency It’s possible for a low- or mid-level employee to feel pressured by an executive to act urgently and without hesitation. But make sure everyone is aware that it’s acceptable to inquire about requests for cash or private information.
a desire for privacy. A fictitious claim could also be used by the con artists to discourage victims from consulting others for help. As an illustration, the con artist might instruct your assistant to purchase 15 gift cards anonymously since they will serve as surprise thank-you gifts for the team.
Strange timing. The assault might begin on a weekend or holiday, adding to the impression that it is an urgent request and possibly preventing the recipient from checking the information with others.
requests for account information changes. The fact that the payment instructions, direct deposit forms, or other account information have changed raises suspicion even if it’s a valid alteration. Try calling a number not specified in the email to confirm the request.
As the financial staff and executives are the most potential targets of BEC assaults, you could also want to provide supplementary training for these groups.
Utilize technology for your benefit
Enterprise-level security solutions can be out of your price range, but technology can still be useful.
Configure your email service to detect emails with different from and reply-to addresses.
To prevent hackers from taking control of your company’s email accounts, add two-factor authentication.
Maintain the most recent security patches on the operating systems of your business equipment.
Scammers may also attempt to fool a victim into installing malware so they may hijack or keep watch over a user’s email account. You can use free phishing simulation tools provided by some software manufacturers as a part of your continuing training. Take a test to discover how well you and your team do, and thereafter, find out more about the warning signs that people overlooked.
Examine your payment procedures for invoices.
Look closely at who is permitted to transfer money on your company’s behalf and consider any changes you might want to make with BEC in mind. For example, before updating the recipient’s account information or requiring further permissions for invoices that are more than a specific amount.
What to Do If You’re a BEC Attack Victim
In the event of a BEC attack, get in touch with your financial institution as once to see whether it can stop the transfers or payments. Additionally, you can collaborate with your IT team to make sure that your accounts and devices are protected; this may entail updating security protocols and changing passwords. Inform the FBI’s Internet Crime Complaint Center about the occurrence as well. Include as much specifics as you can, as the FBI can use the reports to trace down and prevent these kinds of crimes.
Business Email Compromise
How to Protect Your Business From Business Email Compromise