You don’t need to run a multinational corporation for criminals to target your organization. And, as a small business owner, staying informed of the latest scams can be important for the future of your company.

The FBI’s 2022 Internet Crime Report lists business email compromise (BEC) as a top incident type for the year and calls it one of the most financially damaging online crimes. There were nearly 22,000 related complaints, and businesses lost over $2.7 billion to these scams in 2022 alone, up from the previous year.

What Is Business Email Compromise?

email scams

A business email compromise scam involves a criminal sending an email message that appears to be from a legitimate source. Three common BEC scams to watch out for include, a scammer:

  • Sending an email that appears to be from your vendor with updated billing instructions for their payments. These instructions provide the scammers account information so they receive the payments.  
  • Imitating an email from an executive and reaching out to an employee on the finance team with an urgent request for a money transfer.
  • Imitating an email from an executive asking an employee to buy and send gift cards, which the scammer can quickly cash out or resell.

BEC isn’t always about the money transfers, either. Some BEC attackers might be after your employees’ personal information or data about the company, which they can then sell on the dark web or use as the basis for a different attack in the future.

What could happen if you’re targeted?

Unlike the scam emails that get sent to thousands of people at a time, the criminals running BEC schemes often conduct well-researched and coordinated attacks.

For instance, the scammer might spend days learning about you and monitoring your social media account activity. They might even wait until you’re at a conference before springing into action, and they can use the trip as the basis for an urgent request. They might pose as you and send an email with an urgent wire transfer request — you just signed a deal and need the money right away. If your team responds, you might be out tens of thousands of dollars.

And just as successful businesses often have to pivot to address changing circumstances, scammers are also quick to test new methods. In February 2022, the FBI warned about the rise of BEC schemes involving virtual meeting platforms during the previous three years. The scammers send a meeting request as the CEO or CFO of a company, use deep fake audio to replicate the executive’s voice and then request a funds transfer during the meeting or in a follow-up email.

How to Protect Your Business From BEC

email scams 2021

To protect your small business from BEC schemes, you can follow these steps:

1. Establish an Electronic Funds Transfer (EFT) Policy

This policy requires all employees to confirm that any emails requesting transactions like a direct deposit, or an electric funds transfer are legitimate. Your employees can verify if these requests are authentic by calling the sender directly, whether that’s your other employee, vendor or supplier.

It’s also important that your employees do not contact the payee with any email address or phone number that is included in the electronic funds transfer request. This contact information can easily be fake and a part of the scam. Employees should always rely on contact information that comes from your small business.

In addition to this, make sure your employees are able to recognize red flags in scam emails, like:

  • Look-alike or different reply-to addresses. Scammers might send an email from an address that looks very similar to your company’s email, such as ceo@c0mpany.com instead of ceo@company.com. Or, they can make the from-address look exactly like your company’s, but the reply-to address is the scammer’s email account.
  • Short messages that create a sense of urgency. A low- or mid-level employee might want to quickly and unquestioningly respond to urgent requests from an executive. But make sure everyone knows it’s okay to ask questions when there’s a request for money or personal information.
  • A need for secrecy. The scammers could also use a false pretense to keep recipients from asking others for advice. For example, the scammer might ask your assistant to buy 15 gift cards and not tell anyone because they’re going to be surprise thank you gifts for the team.
  • Unusual timing. The attack could start during off-hours or a holiday, which plays into the idea that it’s an urgent request and could keep the recipient from verifying details with others.
  • Requests for changing account information. A change in the payment instructions, direct deposit forms or other account information could be legitimate, but it’s also a red flag. Try to verify the request by phone using a number that’s not listed in the email.

2. Check the Real Sender Domain in Emails

Many BEC scams are difficult to catch because they rely on a mixture of technological know-how and social engineering — the psychological manipulation of someone.

For example, an employee may receive an email that looks like it was sent from your vendor with a link to download and pay an invoice. However, this link might open a malicious webpage or harmful content. In situations like this, employees need to verify that the sender is legitimate.

To verify an email, it’s important to double check the email address from the sender. Many scammers use names that look like they’re from someone in the company. Your employees can also hover over the email address and look at the domain that the email is coming from to make sure that it’s from a trusted source. They can also hover over any embedded links within the email to see the URL. If it doesn’t match with what’s displayed in the email or the person or company that’s sending the email, it’s likely phishing.

3. Protect Your Email Domain and Authenticate Emails

Three email security protocols that can help prevent phishing attacks by providing proof that an email is legitimate, include:

  • Sender Policy Framework (SPF), which restricts who can use an organization’s email domain.
  • DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, which ensures that the content of an email hasn’t been altered.
  • Reporting and Conformance (DMARC), which ties SPF and DKIM together. It provides instructions about what to do with an unauthenticated email (no action, quarantine or reject).

It’s recommended to combine all three protocols for the best results.

4. Use Multi-Factor Authentication to Avoid Phishing Attacks

If a phishing attack is successful in stealing user access information, multi-factor authentication can help prevent the attacker from gaining access to your computer systems. With multi-factor authentication you’ll need more information or details in addition to login credentials. For example, it may require a PIN or approval from another device to authorize the login.

5. Create a Phishing Training and Awareness Program

Training is the best way to prevent a BEC attack at your small business. Your training program should include:

  • Education on the definition of phishing attacks with examples.
  • Regular testing of employees’ knowledge.
  • Resources and information on what employees should do if they think they’ve fallen for a phishing attempt.

You may also want to have additional trainings for executives and finance teams, as they’re often targets for BEC attacks.

There are also different training tools you can use. For instance, many scammers start an attack by trying to trick someone into installing malware that they can use to take over or monitor an email account. Some software vendors offer free phishing simulation tools that you can use as a part of your ongoing training. Test your employees (and yourself) to see how well everyone does, and then learn more about the red flags that people missed.

What to Do If You’re the Victim of a BEC Attack

After a BEC attack, immediately contact your financial institution to see if it can reverse the transfers or payments. You can also work with your IT team to make sure your devices and accounts are secure — that may involve changing passwords and updating security measures. You should also notify your insurance provider as soon as possible. The quicker your insurance company receives your claim the better the chance of preventing unnecessary losses.

Additionally, report the incident to the FBI’s Internet Crime Complaint Center. Include as many details as possible, as the reports can help the FBI track and stop these types of crimes.

Next steps: Interested in more small business marketing tips? Sign up for the Small Biz Ahead newsletter today.