Business Email Scams on the Rise

email photo

Business Email Compromise (BEC) attacks — sophisticated email scams designed to con companies out of money and sensitive data — are on the rise. Researchers at both Agari and IBM have seen notable increases in the number of BEC attacks. This is not too surprising given that cybercriminals like to use this type of attack because it is very effective and requires minimal technical knowledge. They have used business email scams to steal more than $5 billion from businesses worldwide, according to the US Federal Bureau of Investigation (FBI).

Although carrying out a business email scam attack does not require much technical know-how, it does require a lot of time and research. Digital con artists use phishing emails, social engineering techniques (e.g., scouring social media websites), and other tools to get the detailed information they need to scam a targeted business. Once they have it, they create the BEC email. The cybercriminals strive to get both the wording and graphical elements to look like a legitimate email from that business (or from an organization it does business with, such as a supplier). They spend a good deal of time creating the BEC email in the hope that its legitimacy will not be questioned.

Learn to Recognize Common Threads

Each business email scam is specific to the business being attacked. However, when the FBI analyzed complaints from companies that reported falling victim to BEC attacks, it found several common variations of the scam. The digital con artists often:

  • Masquerade as business executives, requesting wire transfers or employees’ personal information
  • Pose as suppliers, requesting invoice payments
  • Pretend to be accounting staff, requesting invoice payments from vendors
  • Impersonate lawyers or law firm staff, requesting a fund transfer

Similarly, when the IBM researchers analyzed real-life business email scams, they found several common tactics being used. They discovered that cybercriminals often:

  • Hack or spoof email accounts so that the phishing and BEC emails appeared to be from known contacts
  • Monitor the inboxes of compromised email accounts
  • Mimic previous email conversations or insert themselves into current email conversations between employees
  • Masquerade as known business contacts, requesting that wire payments be sent to a supposedly updated bank account number
  • Create email filters so that communications occur only between themselves and the victims
  • Fill out the appropriate forms and spoof supervisor emails to complete the necessary paperwork and get any required approvals

How to Avoid Becoming the Next Victim

Law enforcement has been cracking down on business email scams. For example, two cybercriminals involved in more than 20 cases of BEC fraud were arrested in February 2018. However, many more digital con artists are out there. Thus, you should be proactive and take steps to avoid becoming a BEC victim:

  • Let your employees know about the common BEC scam variations. Being aware of BEC attacks is one of the best ways to avoid falling victim to them. Also teach employees how to spot phishing emails since cybercriminals use them to gather information prior to creating the BEC emails.
  • Do not use free web-based email accounts (e.g., Gmail) for business email accounts. Digital con artists often target businesses that use these accounts.
  • Block the ability to automatically forward emails to external email addresses. This will prevent cybercriminals from forwarding company emails to their own accounts.
  • Set up two-step verification for business email accounts. That way, these accounts will be more difficult to hack.
  • Be careful about what you post on your business’s website. For example, do not post hierarchal information, as this information might help attackers determining the best person to target in a BEC scam.
  • Consider implementing a social media policy that offers guidance on what employees should and should not post on social media sites. Digital con artists like to gather company-related information from these sites.

NoWorriesIT is available to help your company implement proactive policies and strategies to reduce your risk of cyber attack. We offer a complimentary Network Security Review with reporting to show you exactly where your company may be vulnerable. Contact or call us and let us know your chief concern. 410-751-7650

About The Author

Jean Burgess, Marketing Manager

Jean Burgess, Marketing Manager

Jean Burgess is Marketing Manager for NoWorriesIT, where she is continually surrounded by techno-speak and computer gear throughout the day. From Jean's desire to understand this alien world of Cloud Computing, Remote Monitoring and Management, Data Backup and Disaster Recovery, and Network Security sprang this blog -Thoughts From A Wannabe Techno Geek. Her goal: to be a liaison between the knowledgeable NoWorriesIT system engineers and the small business reader in an entertaining and informative manner.

« Previous Post

Next Post »

Leave a Reply