It is not uncommon for businesses to communicate with their customers directly through their own email system. Especially for small businesses, email with customers and suppliers is a means of survival. The smaller the business, the more convoluted and intimately crafted emails tend to be, often because one or two trusted employees or you as the business owner manage your email. However, these small, personally managed systems have become targets for cybercriminals and fraudsters. Business Email Compromise (BEC) is the culmination of several malicious cyber practices that work in tandem, thus creating one of the most complex and difficult cyber threats to stop. BEC can be a debilitating blow to businesses of all sizes and have recorded financial losses from past BEC attacks were stunning.
The life and death of your small business is in the safe hands of your best customers and suppliers. Therefore, it is essential that every small business that operates an email system knows and understands the warning signs of BEC in order to preserve your business’s reputation, its financial stability, and the financial stability of its customers and suppliers.
What is a business email compromise
Business email compromise is a complex and multi-phase type of phishing cyber scam. The most typical BEC attacks involve this common set of triggers and events:
The fraudster finds a suitable business account to infiltrate: The main targets of BEC scammers are small and medium-sized businesses that communicate with customers and suppliers via email. In addition, fraudsters will look for companies with readily available public information that confirms the identity of important figures in the company, as well as companies that regularly accept electronic transfers.
Spearfishing and Grooming: Once the fraudsters find a target business, they launch an open cyber attack, trying to gain access to the company’s email or simply access resources such as digital calendars or other sensitive information. This initial attack is commonly referred to as spear phishing. Phishing attacks are emails sent a business impersonating an employee or customer. Depending on the complexity of the cheater’s attack, cheaters can deal a wide range of damage in this phase alone. From information aggregation to full system penetration, this launch attack will likely set the tone for the rest of the cyberattack.
Unless a phishing attack uses malware to directly extract information from email, more socially oriented attacks will try groom employees of your company to release private information in order to penetrate the email system itself. Phishing techniques include impersonating IT services, employees, or any other trusted organization that you do not question with information.
Scammers impersonate the target business and demand wire transfers from customers: Once scammers have entered your email system through one of several known routes, they will likely lie dormant for weeks or even months. During this time, scammers will analyze the target business’s communication style and copy any letterhead or email signatures. Once the fraudsters are confident enough that they can convincingly imitate your business’s communication style, they will send an email to one of your customers or other financial partners asking for a wire transfer.
Repeat the previous step until Target Business detects the scam: Successful BEC attacks are deliberately difficult to detect, and for businesses with poor communication, they can thrive for months. Even if the fraudsters are detected or even locked out of your system, chances are that the money sent electronically will be returned to its rightful owner extremely low.
Protecting your business from BEC
Clear rules for bank transfer: Given that fraudsters often know the target business as well as the actual business owner, fraudsters will bend and twist existing rules to their advantage whenever possible. Consider establishing a universal rule for your business, where all financial transactions are carried out should be verified and confirmed in person or by telephone if possible. The persuasive nature of the scam is usually greatly reduced when they have to call but it cannot remain the same forever.
Talk to the appropriate staff about the warning signs of BEC: BEC scammers thrive on businesses that have weak or patchy connections. Set up regular meetings with the staff who manage your email and digital communications with the specific purpose of assessing your strength against cyberattacks. In particular, if you are in person and do not use digital communication, set code words and keys no specified online that trusted employees can use among themselves when dealing with sensitive information or financial details.
Email attachments: Email attachments are one of the most common ways scammers infiltrate businesses. This has been true since email attachments first appeared, and they have become increasingly undetectable over time. This simple click on a download link in an email is all a scammer needs to deploy a multifaceted malware on your system. For this reason, avoid email extensions if possible and consider adding a cyber security browser extension to your work systems to further isolate your workstations.
Two-factor authentication: For those complex BEC operations that don’t cheat, but rather actually to infiltrate email systems, two-factor authentication is a powerful preventative measure. Two-factor authentication means that it will be incredibly difficult for any remote fraudster to log into your email system, as they will need to authenticate on a second device. Set up business two-factor authentication on a mobile phone on-site or tethered to a business owner’s mobile phone.
Every business is a goal
Lack of uniform knowledge and education about BEC is the fraudsters’ best weapon. While mega-corporations have notoriously tough cyber systems and dedicated teams of professionals who monitor digital systems for breaches, small businesses do not. Even businesses that no need having a dedicated email system can be targeted by BEC via impersonation. It’s critical that every small business owner understands that regardless of industry or size, they, like anyone else, can fall prey to fraudsters and cybercriminals. Knowing the warning signs and acting with the utmost suspicion is all it takes to take your business from vulnerable to prepared when operating in the digital space.