Cybercriminals have long been exploiting our reliance on email to conduct business. Of the many types of cyberattacks aimed at email inboxes, organizations have been increasingly focused on business email compromise (BEC) – and for a good reason. BEC has rapidly become one of the most financially damaging online crimes.
What makes the threat of BEC so high is that this scam preys on our human nature to trust or be helpful, attempts can be difficult to identify, and the recovery of funds can be a challenge. While the IC3’s Recovery Asset Team successfully froze $433 million in funds for victims who made transfers to U.S. accounts under fraudulent pretenses in 2022§, many organizations were unable to recover some or all of their funds lost through BEC.
Impressing the importance of verifying information, acting calmly, and being on the lookout for BEC can go a long way in helping you avoid a costly attack. In this article, we will explain how BEC works, which red flags might signal a scam, and how to help protect your organization and employees from this cybercrime on the rise.
What is BEC, and how does it work?
Business email compromise (BEC) is a sophisticated phishing attack that targets individuals, businesses, and organizations. They then use a variety of techniques to convince an email recipient that a message is coming from a legitimate and trusted source. In some BEC scams, threat actors can gain access to and monitor the email accounts of business executives or employees to imitate their actions. Other methods of BEC attack include using malware or sending phishing and/or spear phishing emails.
The purpose of this scam is to steal money or sensitive data, so these messages may typically request the recipient send funds through wire transfers, gift cards, or other online person-to-person payment platforms. The fraudulent payments might be transferred several times between banks and accounts to ensure the funds are quickly dispersed before being caught.
One rising trend noted by the IC3 in 2022 is the use of cryptocurrency in fraud, likely because cryptocurrency’s added anonymity makes it an attractive option for cybercriminals. Cryptocurrency investment fraud complaints reached $2.57 billion, up 183% compared to the previous year≠. An increasing number of BEC complaints have included cryptocurrency exchanges or requests for funds to be sent directly to a cryptocurrency platform¶.
Watch out for these BEC red flags
While BEC emails are designed to be convincing, there are certain indicators that can help alert you to a potential scam. If you receive an email with any of these potential red flags below, think twice before responding or taking action:
- Portraying a sense of urgency, especially during a crisis.
- Insisting on confidentiality.
- Sending messages at inopportune times, such as at the end of business hours or during high customer volume.
- Changing email addresses, removing recipients from an email chain, or changing the reply-to email address.
- Containing poor formatting, unusual tone, and uncommon misspellings.
- Refusing to communicate in person or verbally.
- Requesting to move money to a new account, personal account, subsidiary account, or an atypical destination.
- Asking for unusual payment amounts or payments without proper justification.
Help protect yourself against BEC
In addition to watching out for the potential BEC indicators above, following these recommendations can help you protect yourself and your business from becoming victims:
- Always follow established processes and protocols for remittance processing.
- Understand your responsibilities and liabilities in processing and approving funds.
- Treat emails with caution. Immediately delete unsolicited emails (spam) from unknown parties. Do NOT open spam emails or click on links in the email.
- Use your company’s established IT/Cybersecurity reporting options to report suspicious emails, such as flagging it in your company’s email server.
- Follow your procedures and call the company directly from the established phone numbers on file – never call the number or email the address included in the suspicious email. Always verify via other channels that you are still communicating with your legitimate business partner.
- Avoid responding to a bad actor via email by asking employees to create a new email and use or type in a name and address on file instead of using the “reply” option.
- Be suspicious of requests for secrecy or pressure to act quickly.
- Implement two-factor authentication for your email servers and remote access devices.
- Establish other communication channels, such as telephone calls, to verify significant transactions. Consider having additional protocols in place for larger transactions to ensure that only authorized personnel can commit to the disbursement of funds.
- Both entities on either side of the transaction should use digital signatures whenever possible. If you have any suspicions before signing, call the company directly from the established phone numbers on file.
- Establish a company website domain and use it to establish company email accounts in lieu of free, web-based accounts.
- Be careful what you and your employees post to social media and company websites, especially job duties/descriptions, personally identifiable information (e.g. email address, phone number, etc.), and hierarchical information.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when previous official correspondence has been on a company email, the request could be fraudulent.
- Avoid using paper checks and instead consider using Automated Cleaning House (ACH) or other electronic payment methods whenever possible.
- If applicable, consider accepting electronic deposits or using remote deposit capture, safeguarding remotely deposited items, and shredding them once clear.
- If something feels off about an email, text message, or phone call, it probably is. When in doubt, get a second opinion.
- Act quickly in the event of an incident and promptly report it to the appropriate person or team in your organization.
Remain vigilant to safeguard your organization
Cybercrime continually evolves as organizations implement new preventative and protective measures. Losses from business email compromise, phishing, and other cyberattacks are not always recovered, which could have devastating effects on your business. Building strong cybersecurity defenses and developing a security culture can help you and your employees remain vigilant against ongoing threats. Contact your relationship manager for more information about protecting your organization against cybersecurity threats.