How to survive a business email compromise scam

Watch out for business email compromise

Identifying and avoiding email fraud is fairly easy. Most scams begin with ludicrous offers, suspicious links, unwanted attachments, and messages riddled with typos. Plus, if you receive random emails from unfamiliar characters, alarm bells should already be ringing in your head. The problem is, what if the fraudulent message appears to come from a friend, business associate, or executive?

These scams are called business email compromise (BEC), and they’re difficult to detect to the untrained eye.

BEC scams defined

BEC scams occur when perpetrators either hijack accounts or “spoof” sender display names so their messages appear to come from a legitimate source. Then masquerading as high-ranking executives, they send emails to dupe employees into transferring funds to an offshore account. A common tactic for BEC scammers is to frame wire transfer requests as “emergencies” to instill a sense of panic and catch unwitting staff off guard.

In another version of the scam, perpetrators send emails as “business representatives” notifying customers that future invoices should be paid to a new account. This can be catastrophic for a company’s bottom line, especially if the payments are recurring.

What’s worse, unlike conventional phishing attacks, BEC scams don’t rely on malicious links or attachments to defraud people, which means they’re capable of evading anti-malware and spam filter detection. Even hijacking accounts is straightforward considering that millions of compromised login credentials are readily available on the dark web.

Massive payouts for cybercriminals

Besides the sheer simplicity of BEC scams, it’s their potential payouts that make them so popular among cybercriminals today. According to a report by the Australian Competition and Consumer Commission (ACCC), businesses lost over $60 million to BEC scams in 2018.

Medium-sized businesses suffered the most, with one company reporting more than $300,000 in losses. Although, it’s not unusual for organisations to lose thousands of dollars, no matter their size. A Scamwatch survey found that the average loss per BEC incident is approximately $30,000.

Certain industries, however, are more vulnerable than others. For instance, the real estate sector is a particularly attractive target because they deal with large transactions. All scammers have to do is hack a closing agent’s email and send a fake message asking the buyer to wire the deposit for the property to a different account. Public real estate listing sites also contain the information scammers need to create convincing cover stories.

Others at high-risk of BEC scams include accounting firms, payroll personnel, and any employee that has control over an organisation’s finances.   

How to protect yourself

There are several strategies to reduce your company’s exposure to BEC attacks.

1. Make email verification standard operating procedure

For starters, be critical of all wire transfers or changes in payment location, especially if they’re coming from managers and vendors. This means you should always check the sender’s email address. BEC scams tend to use names that look familiar to trick the recipient. For example, a spoofed email from Woolworths may read “customerservice@woolw0rth.com.”

2. Contact whoever is making the request

The best way to confirm the authenticity of the request is to contact the executive or vendor via another channel. If you’re verifying by phone, remember to use previously known phone numbers, not ones provided in the email.

3. Have multiple people sign off on transactions

Create a multiperson approval process when dealing with large transactions. This increases the chances of catching fraudulent requests in case the first approval manager missed them.

4. Train and test employees

Make sure your employees are trained to spot and avoid email fraud. Running BEC simulations are a great way to give them real-world experience and test their security awareness. Consider conducting a refresher course every month to yield the best results.  

5. Implement email security software

While BEC is designed to slip past traditional security measures, implementing cutting-edge email security programs like Barracuda Essentials for Email Security will give you a much-needed layer of defence. Such programs monitor email content, sender reputation, and addresses for any traces of email fraud.

6. Know your emergency contacts

In the event of a BEC breach, you and your employees must know who to call to fix the issue right away. Create a contact list of your managers, financial institutions, IT services company, the Australian Cybercrime Online Reporting Network (ACORN), and Scamwatch.  

One email scam can clean out your company’s accounts, which means you can’t afford to make cybersecurity an afterthought. Call Empower IT Solutions today for all your cybersecurity needs. We provide robust security training and multilayered defences that can stop scammers in their tracks.