Business email compromise: Tips to stay on top of phishing scams
You’ve heard the old saying: “Don’t open an email from someone you don’t know.” Most business owners assume that their employees understand how to spot a phishing scam and won’t click on suspicious hyperlinks or open unknown attachments. But what if they receive an email that appears to come from their financial adviser, a trusted vendor, or even you?
In a business email compromise (BEC) scam, criminals send an email message to you that appears to come from a known source making a legitimate request. Recently,BEC has become increasingly popular amongst cybercriminals seeking money and personal information from companies. Scammers target businesses that utilize wire transfers and companies that rely on foreign suppliers and third-party vendors or customers. Impersonating these existing, trusted business relationships makes BEC almost impossible to detect and difficult to manage after the fact.
According to recent cybercrime statistics, spear-phishing, which includes BEC, continues to be one of the top reported scams out of about 40 fraud types recorded by the Canadian Anti-Fraud Centre (CAFC). In 2020, the CAFC received reports of almost $30 million in losses to this scam and over $26 million in losses have been reported in the first half of 2021 alone.
The four methods of business email compromise scams
The difficulty in detecting BEC lies in the way scammers use existing professional relationships to gain access to a business’ funds or personal information. Criminals use BEC to execute four specific types of scams.
Method #1: Business executive scam
CEO’s email is hacked or impersonated – The imposter contacts the finance department to request a wire transfer.
Finance department authorizes wire transfer – Request email will typically indicate transfer must be done quickly and quietly.
Funds are deposited into fraudster’s account – The false wire transfer is delivered to the criminal’s fake bank account.
Scammers will use an executive’s email address to contact an employee responsible for your company’s finances, requesting a large wire transfer into their fake bank accounts. Since most businesses utilize email as their main form of communication between employees and departments, this type of BEC is almost always detected after the transfer occurs.
Method #2: Bogus invoice scam
An employee’s email is hacked or impersonated – The imposter sends emails through a compromised account to the company’s vendors and/or customers requesting false invoices.
Customers and vendors pay false invoices – Request email will typically indicate new or changed invoices.
Funds are deposited into fraudster’s account – The false wire transfer is delivered to the criminal’s fake bank account.
This second method targets your customers and/or third-party vendors, hoping to collect their money through false invoice requests. Fraudsters can hack into your employees’ emails and send out urgent invoices.
Method #3: Supplier swindle scam
The third method targets a company’s foreign suppliers or overseas vendors in hopes of getting wire transfers authorized to a fake account. Criminals hack into a supplier’s email account and request a wire transfer to a “new” account, disclosing that the supplier’s location overseas has moved or changed.
Method #4: Personal data scam
Email of an employee working in human resources is hacked or impersonated – The imposter uses a compromised account to request personal information.
Employees send sensitive documents or fill out fake online forms – Request emails will typically indicate that information was never collected, lost, or needs to be updated.
Fraudster obtains personal information – The personal identification information collected can be used to steal identities or even could be sold on the black market.
Unlike the first three methods, this final method focuses on stealing employees’ personal information. Cybercriminals target the email accounts of employees working in human resources to obtain personally identifiable information. Emails are sent from an HR representative’s hacked email account to other employees, asking them to either provide or verify their sensitive information.
Tips to protect your business
Business email compromise scams can have many layers of potential compromise and can impact anyone associated with a business. By following these tips, you can help keep yourself, your employees, and vendors in the know about BEC and other business scams:
Develop and implement a company-wide security awareness program. Make it everyone’s business to protect company information.
Don’t rely on email alone for transfers. Confirm requests for transfers of funds by using phone verification or face-to-face meetings. Use known phone numbers to authenticate transfer requests and verify the requests in person whenever possible.
Carefully scrutinize all email requests regarding the transfer of funds. Check for small variations in the email addresses that are out of the ordinary.
Harden your networks, especially for mobile. Threats to mobile devices may include spyware, unsecured Wi-Fi connections, and even fake networks. As employees use personal mobile devices for business emails and other work purposes, cyberthieves often target them to create gateways into your network.
Protect yourself and your business
While preventative measures against cybercrime are an important part of protecting your business, unfortunately, you can’t always control what happens. You can, however, control how prepared you are. Having the right protection in place can make a huge difference to your business and livelihood. To learn more about protecting yourself and your business, visit our Business Insurance page today.
