Beware of business email compromise

Running a business is no small feat, and you’re seeing yours through a global pandemic! We applaud all of you who have found ways to keep humming along despite the many obstacles (and rewards!) of managing a remote workforce — and are continuing to do so. Unfortunately, one of those obstacles is the increase in scammers who are taking advantage of displaced workforces. One key example: There’s been a marked increase in business email compromise scams over the past year. With that in mind, we decided now was the perfect time to share more about this threat to your company, accounts, and data. Let’s dive in.

What is BEC?

Business email compromise, or BEC, is a type of phishing attack in which an attacker hacks into a corporate email account. By posing as your company’s owner (whether that’s you or someone else), an executive staff member, or a regular vendor, the hacker sends emails in an attempt to convince the email recipient(s) — often an employee who might feel too intimidated to raise questions — to pay invoices, transfer funds, purchase goods, or provide confidential information. By spoofing a trusted entity, the attackers can easily capture the funds or data requested because it’s offered up willingly by your unsuspecting employee.

This type of attack is also known as CEO fraud, because the scammer may pose as your company’s CEO (a popular guise), or email account compromise (EAC), as the requests come via email. Regardless of what you call it, the process is pretty much the same.

Cybercriminals like to use an email feature called “auto-forwarding email rules,” which allows the owner of an email address to set up “rules” that forward (or redirect) an incoming email to another address if certain criteria is met. This way, they can view incoming emails without having to log into an account each day and possibly trigger a login security warning. This means they are able to divert, or “fork,” conversations from compromised accounts to impersonated ones.

In CEO fraud, the criminals might send a few conversational emails back and forth to build trust but will inevitably make a frantic request to come to their aid — e.g, asking the target (your employee!) to make a payment to a different bank account or to purchase gift cards and send them the card details. It’s always urgent, and the request is usually accompanied by a plausible reason for skipping protocol. They might be “in a meeting” and can’t be disturbed — a deterrent to confirming the request — or ask for secrecy because the purchase is a gift. Your employee is unlikely to question the request because they believe they are communicating with a company executive.

Invoice and payment fraud is popular with scammers because they have the opportunity to score big — often with minimal effort — resulting in significant loss to your business of money, goods, or services. This kind of email spoofs vendors, including well-known ones, to catch the attention of the recipient. And because you’re often contending with a plethora of vendors and invoices in your day-to-day business, the chances of a phony invoice getting paid are pretty good, especially with employees working remotely and with less direct team communication. It’s easy to assume that the vendor on the other end of the email thread is who they say they are: a person or company you've known and communicated with for some time. An invoice comes through from a vendor you think you know or from a recognizable name (like Zoom, PayPal, Amazon, etc.) and chances are, it’s going to move on through the accounts payable process.

How can you protect yourself?

When it comes to preventing attacks from hackers, spoofers, scammers, or others whose intent is much more serious than their names would lead us to believe, the first strategy is a good offense — starting with awareness and education for all your employees, followed by excellent communication and a built-in system of checks and balances when addressing requests or paying invoices.

Speaking of awareness and education, it’s also important to be extra mindful of email headers and where the request is coming from. And especially for accounts payable departments or anyone dealing with invoices, it’s wise to inspect changes to financial processes and follow up on all suspicious emails with a verification phone call.



Additionally, multifactor authentication (MFA) is another key security feature to improve your business’s email security. We recommend you also check with your vendors and other trusted third parties you work with to ensure their business email systems include MFA. By being aware of trending scams and promoting safe practices within your business, you and your employees can protect your assets from business email compromise as well as other types of cybercrime.

One last pointer: Read TechRepublic’s recent article on business email compromise, “Business email compromise scams proved costly to victims in 2020.”

Have questions? We’re here to help! Contact Treasury Management at 402.323.1557 or visit our Treasury Management page.