Business Email Compromise Explained
It is not uncommon for a business to communicate with its customers directly through its own email system. For small businesses, especially, emailing customers and suppliers directly is a means of survival. The smaller the business, the more intricate and intimately crafted emails tend to appear, often because one or two trusted employees or you, as the business owner, are running your email operation. These small, personally managed systems, however, have become massive targets for cybercriminals and scammers. Business Email Compromise (BEC hereafter) is the culmination of several malicious cyber-practices working in tandem thus creating one of the most complex and difficult to stop cyber threats. BEC can be a debilitating hit to businesses of any size and recorded financial losses due to past BEC attacks have been staggering.
The life and death of small businesses lie in the trusting hands of your best customers and suppliers. It is essential, then, that every small business operating with an email system know and understand the warning signs of BEC to insulate the reputation of your business, its financial stability and the financial stability of your customers and suppliers.
What is Business Email Compromise
Business Email Compromise is a complex and multiphase type of phishing cyber scam. The most typical BEC attacks include this general series of triggers and events:
Scammer finds a Suitable Business Account to Infiltrate: The prime targets for BEC scammers are small to medium-sized businesses that communicate with clients and suppliers via email. Further, scammers will seek out companies with easily accessible public information confirming the identity of important figures in the company along with companies that regularly accept wire transfers.
Spearphishing and Grooming: Once scammers find a target business, they will initiate an opening cyberattack attempting to gain access to the business’s email or simply gain access to resources like digital calendars or other sensitive information. This opening attack is regularly called spearphishing. Spearphishing attacks are emails sent to the business impersonating either an employee or client. Depending on the sophistication of the spearphishing attack, scammers can do a wide variety of damage in this phase alone. From information aggregation to full-on system infiltration, this opening attack will likely set the tone for the rest of the cyberattack.
If the spearphishing attack doesn’t use malware to lift email information outright, more socially orientated attacks will attempt to groom human employees from your company into giving away private information with the goal of infiltrating the email system itself. Grooming methods include impersonating IT services, fellow employees, or any other trusted body you wouldn’t question giving information to.
Scammers Impersonate the Target Business and Solicit Wire Transfer from Clients: Once scammers have entered your email system by any one of several known avenues, they will likely lie dormant for weeks or even months. During that time, the scammers will analyze the target business’s style of communication and copy any letterheads or email signatures. Once the scammers are confident enough that they can convincingly emulate your business’s style of communication, they will send an email to one of your clients or other financial partners requesting a wire transfer.
Repeat Previous Step Until Target Business Notices Scam: Successful BEC attacks are intentionally difficult to detect and for businesses with poor communication can thrive for months. Even if scammers are found out or even excised from your system, the chances of money sent by wire being returned to its rightful owner is exceedingly low.
Protecting Your Business from BEC
Clear Wire Transfer Rules: Being that scammers often know their target businesses as well as the actual business owner, scammers will bend and twist existing rules to their favor wherever possible. Consider setting a universal rule for your business in which any financial transaction must be verified and confirmed in person or over the phone where possible. The convincing nature of scams tends to drop off considerably once they need to get on the phone but this may not stay the same forever.
Talk with Relevant Staff About BEC Warning Signs: BEC scammers thrive in businesses that carry out weak or uneven communication. Set up meetings with the staff who manage your email and digital communication regularly with the expressed purpose of assessing your strength against cyberattacks. Specifically, when you are in person and not using digital communication, set up code words and keys not specified online that trusted employees can use between each other when dealing with sensitive information or financial details.
Email Attachments: Email attachments are one of the most prevalent means for scammers to infiltrate businesses. This has been true since email attachments first came to be and has only become increasingly undetectable with time. That simple click on an email download link is all scammers need to deploy multi pronged malware into your system. Avoid email extensions wherever possible for this reason and consider adding a cybersecurity browser extension to your work systems to further insulate your workstations.
Two-Factor Authentication: For those complex BEC operations that do not spoof but rather actually infiltrate email systems, a powerful means of prevention is two-factor authentication. Two-factor authentication means that any remote scammer will have an incredibly more difficult time entering your email systems since they will need to approve the login on a second device. Set up business two-factor authentication on an on-site cell phone or bound to the cell phone of the business owner.
Every Business is a Target
The lack of uniform knowledge and education about BEC is scammers’ best weapon. While mega corporations have famously tough cyber systems and dedicated teams of professionals monitoring digital systems for breaches, small businesses don’t. Even businesses who don’t have a dedicated email system can be the target of BEC through impersonation. It is essential that every small business owner understand that no matter their industry or size, they are just as likely as anyone else to fall into the sights of scammers and cybercriminals. Knowing the warning signs and operating with maximum suspicion is all it takes to bring your business from vulnerable to prepared when operating in the digital space.