You don’t need to run a multinational corporation for criminals to target your organization. And, as a small business owner, staying informed of the latest scams can be important for the future of your company.
The FBI’s 2021 Internet Crime Report lists business email compromise (BEC) as a top incident type for the year and calls it one of the most financially damaging online crimes. There were nearly 20,000 related complaints, and businesses lost almost $2.4 billion to these scams in 2021 alone.
What Is Business Email Compromise?
Business email compromise is a scam that targets businesses rather than individuals — although there are similar types of consumer-focused scams called email account compromises. And while BEC always involves taking over or imitating a business email account, the scheme can play out in several ways.
For example, the scammer might take over or spoof (imitate) an email from an executive. They might then reach out to an employee on the finance team with an urgent request for a money transfer and have funds sent directly to the scammer’s account. Or, the “executive” might ask an employee to buy and send them gift cards, which they can quickly cash out or resell.
In some BEC schemes, the criminals attack from a different angle. Rather than targeting your business directly, they could compromise a vendor’s email account and monitor the email account activity. After the vendor sends you a legitimate invoice, the scammer quickly follows up as the vendor, apologizes for a mistake in the payment information and asks your team to send the payment to a different account.
BEC isn’t always about the money transfers, either. Some BEC attackers might be after your employees’ personal information or data about the company, which they can then sell on the dark web or use as the basis for a different attack in the future.
What could happen if you’re targeted?
Unlike the scam emails that get sent to thousands of people at a time, the criminals running BEC schemes often conduct well-researched and coordinated attacks.
For instance, the scammer might spend days learning about you and monitoring your social media account activity. They might even wait until you’re at a conference before springing into action, and they can use the trip as the basis for an urgent request. They might pose as you and send an email with an urgent wire transfer request — you just signed a deal and need the money right away. If your team responds, you might be out tens of thousands of dollars.
And just as successful businesses often have to pivot to address changing circumstances, scammers are also quick to test new methods. In February 2022, the FBI warned about the rise of BEC schemes involving virtual meeting platforms during the previous three years. The scammers send a meeting request as the CEO or CFO of a company, use deep fake audio to replicate the executive’s voice and then request a funds transfer during the meeting or in a follow-up email.
How to Protect Your Business From BEC
The somewhat good news is that BEC schemes are more likely to target large companies that frequently handle a high volume of invoices than small businesses. Still, it’s best to be prepared.
Teach Employees to Spot Scams
Many BEC scams are difficult to catch because they rely on a mixture of technological know-how and social engineering — the psychological manipulation of someone. That’s why ongoing training can be an important part of your defense.
Make sure your employees can recognize red flags, including:
- There’s a look-alike or different reply-to address. Scammers might send an email from an address that looks very similar to your company’s email, such as email@example.com instead of firstname.lastname@example.org. Or, they can make the from-address look exactly like your company’s, but the reply-to address is the scammer’s email account.
- Short messages that create a sense of urgency. A low- or mid-level employee might want to quickly and unquestioningly respond to urgent requests from an executive. But make sure everyone knows it’s okay to ask questions when there’s a request for money or personal information.
- A need for secrecy. The scammers could also use a false pretense to keep recipients from asking others for advice. For example, the scammer might ask your assistant to buy 15 gift cards and not tell anyone because they’re going to be surprise thank you gifts for the team.
- Unusual timing. The attack could start during off-hours or a holiday, which plays into the idea that it’s an urgent request and could keep the recipient from verifying details with others.
- Requests for changing account information. A change in the payment instructions, direct deposit forms or other account information could be legitimate, but it’s also a red flag. Try to verify the request by phone using a number that’s not listed in the email.
You also may want to have additional trainings for executives and finance teams, as they’re the most likely targets for BEC attacks.
Use Technology to Your Advantage
While enterprise-level security systems might be outside your budget, you can use tech to help.
- Set up your email service to flag emails when the from and reply-to addresses are different.
- Add two-factor authentication to your company’s email accounts to help keep attackers from taking over the accounts.
- Keep your business machines’ operating systems updated with the latest security patches.
Scammers may also start an attack by trying to trick someone into installing malware that they can use to take over or monitor an email account. Some software vendors offer free phishing simulation tools that you can use as part of your ongoing training. Test your employees (and yourself) to see how well everyone does, and then learn more about the red flags that people missed.
Review Your Invoice Payment Processes
Take a close look at who is authorized to make payments or transfer funds on behalf of your company, and how you might want to change these with BEC in mind. For instance, you might require additional approvals for invoices above a certain amount or before changing the recipient’s account information.
What to Do If You’re the Victim of a BEC Attack
After a BEC attack, immediately contact your financial institution to see if it can reverse the transfers or payments. You can also work with your IT team to make sure your devices and accounts are secure — that may involve changing passwords and updating security measures. Additionally, report the incident to the FBI’s Internet Crime Complaint Center. Include as many details as possible, as the reports can help the FBI track and stop these types of crimes.
Next steps: Interested in more small business marketing tips? Sign up for the Small Biz Ahead newsletter today.