Business email scams and the tricks to be aware of
There is a devious type of scam out there that the FBI refers to as Business Email Compromise (BEC) scams.
Since January 2015, more than 22,000 businesses worldwide have fallen victim to them and cybercriminals have used them to steal more than $3.1 billion from businesses.
But, they’re not high-tech ransomware programs. In fact, they’re quite low-tech. They’re just extremely well crafted. Each BEC email is carefully tailored to the business it is targeting. Cybercriminals spend a lot of time developing each one to a level where they hope their legitimacy won’t be questioned.
How BEC emails are made
Like regular con-artists, the digital con-artists who create BEC scams use a number of techniques to get information. First, they study their victims. As part of their study, they may send out phishing emails that request details about the targeted business or individuals employed there. The phishing emails might install malware to obtain sensitive business information, such as financial account records. The cybercriminals also use social engineering techniques, such as calling the business or scouring social media websites for information, including LinkedIn and Facebook.
Once they have the information they need, they create the BEC email, trying to get the words and graphics to look as legitimate as possible. They often disguise themselves as a supplier or another service provider that the business deals with.
5 ways that BEC scammers attack
Upon analysing the 22,000 worldwide victims of BEC scams, the FBI discovered five main ways that BEC scammers attack:
1. Posing as a business executive requesting a wire transfer
The scammer hacks the email account of a business executive and uses it to send an email requesting the transfer. The emails are usually sent to the individual employees who normally process such requests, but are sometimes sent directly to financial institutions. The FBI investigation found that these emails are usually sent when the executives are on business trips.
2. Disguised as a manager requesting personal details
Again, the scammer hacks the email account of a business executive, this time using it to send an email to the company’s HR or Accounts staff requesting personal information about specific employees. In the United States, these emails were used to get employees' W-2 tax information.
3. Pretending to be a supplier requesting payment of an invoice
The scammer identifies a supplier that a targeted business has used for a long time, then learns who is responsible for processing payments to that supplier. The scammer sends that person a legitimate-looking invoice, which includes an alternate, fraudulent account.
The scammer identifies someone in the targeted business who works with vendors. They
hack that employee's email account and use it to request invoice payments for specific vendors. This scam is most successful when employees use their personal email accounts for business and they have the vendors listed in their contact list.
5. Undercover as a lawyer or law firm requesting a fund transfer
The scammer emails or calls a manager or employee of a targeted business and claims to be handling confidential or urgent legal matters. They pressure the person into transferring money quickly and discretely.
5 ways to avoid falling victim to a BEC Scam
Anyone at any level in your business can be targeted by BEC scammers. Educate everyone in your business about the five scam scenarios explained above. They should also be familiar with the nine ways to identify a phishing scam, as cyber-attackers often use them as the first step to creating BEC emails.
Here are five more tips for everyone to follow to avoid falling victim to a BEC scam:
1. Do not use free web-based email accounts for business
The FBI found that scammers often target businesses using Hotmail and Gmail email accounts.
2. Use two-step verification for business email accounts
Also known as two-factor authentication, this makes these accounts much more difficult to hack.
3. Be careful about what goes online
For instance, avoid uploading job descriptions or organisational charts to your company website, as this information might help scammers identify the best person to target.
4. Encourage employees not to put their work details on social websites
Scammers scour social media, including Facebook and LinkedIn, for information about businesses and their employees.
5. Use anti-malware software and keep your systems up to date
Cybercriminals sometimes send phishing emails to install malware and get information for BEC scams. Malware usually relies on known vulnerabilities of software to access computer systems.
About the Author
Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.
Call us today on 1300 478 738 or email firstname.lastname@example.org to discuss your requirements.