What is Business Email Compromise and How Can It Affect Me?

by | Oct 5, 2020 | Cybersecurity

4 min read

Running a small business can be hard on its own, but running a small business in the middle of a pandemic? Even harder. How about running a small business in the middle of a pandemic when cyberattacks are constantly increasing? That could be your biggest struggle yet.

You may not know how to protect yourself from cyberattacks or how to identify one. Cyberattacks come in many forms. Some include phishing emails, ransomware, or data leaks. Oftentimes, cyberattacks gain access through a business email compromise scam.

Business email compromise (BEC) is a type of cybercrime that uses email fraud to attack organizations of all kinds to negatively impact their operations. These emails are often sent by criminals, but they appear to come from a legitimate source. Often these emails pose as a company you communicate with frequently to increase the likelihood that you’ll interact with them. In other cases, the impersonator pretends to be someone within the organization, usually someone high-ranking like a CEO or executive. For the most part, these attacks target specific employee roles within an organization with the goal of stealing money or sensitive information.

Some examples of BEC attacks include invoice scams and phishing attacks. Others can come in the form of spoofing, spearphishing, and malware.

How Do Cybercriminals Carry Out a BEC Scam?

  1. They identify their target, figuring out which person or company they can exploit, and then they develop a profile on that entity.
  2. They groom the target, sending phishing e-mails or fraudulent phone calls to try to trick the victim with pressure or persuasion.
  3. The victim exchanges information with the scammer after being convinced.
  4. The wire transfer is performed, and the scammer makes off with the money.

 

There are steps you can take to protect yourself and your company from BEC attacks. A basic rule of thumb is to be careful with the information you share online because scammers can steal this information to guess your passwords or security questions. Another step you can take is to carefully look over email addresses and URLs to make sure they are spelled correctly. There are other steps you can read about from the FBI to further protect yourself from unwanted attacks.

How to Protect Yourself

  1. Be selective with the information you share online. Even small items can be used to complete a profile about you or help a scammer answer your security questions.
  2. Don’t click any links without verifying the source. Unsolicited messages about updating or verifying account information should be viewed with particular scrutiny. You can Google the company’s phone on your own and call them directly to ask if any requests are legitimate.
  3. Examine email addresses and URLs carefully. Scammers use typos you overlook to trick you. Spelling errors are another red flag.
  4. Beware of attachments and be careful downloading anything. If you don’t know the sender, don’t open the attachment. Always confirm a sender’s identity before downloading something they sent you.
  5. Enable two-factor authentication on every account that lets you. Never disable it. This is one of the best ways to stop email compromise in its tracks.
  6. Verify requests for payments in person or over the phone. Also verify changes in account numbers or payment procedures with the person who made the request. Do not take action based solely on an email!
  7. Be wary of urgent requests. As part of social engineering, scammers try to make you act without thinking by making their demands sounds critical and time sensitive.

 

If your employees don’t know what to look out for, they may be susceptible to these cybercrimes. This is especially hard for small businesses because attacks like these can be very financially damaging. Trend Micro reports that in 2016 the average loss from a BEC attack was $140,000. These attacks can also disrupt work and cause significant downtime that can be very costly to a small business. In this case training your employees on what to look out for and what links not to click may be a good place to start.

In fact, cybersecurity training has proven to be effective at reducing the impact of email scams. According to the 2014 State of Cybersecurity Survey, the average financial loss for companies that had conducted security awareness training was $162,000. Conversely, companies that had no employee training had an average loss of $683,000.

For extra help, small businesses can look to hire a managed service provider (MSP) to protect them from future attacks. An MSP monitors client endpoints, networks, and servers. This allows for firewalls to be set up so malicious emails can be detected and go into the spam folder. Enabling 2FA is another great way to protect your data with an extra layer of security, and your MSP can help guide you through that process.

When working with an MSP you can save money with predictable monthly costs instead of a large expense out of nowhere when something breaks or when your systems become compromised.

An MSP like Machado Consulting can help train employees to be safe, filter email inboxes, and strengthen the overall security of your business.

Categories

Recent Posts

v
Let's Talk

You have questions.
We love to listen.

Customer Support

Need help?
Your help desk is ready.

Plan a Visit

32 Franklin Street, Suite 500
Worcester, MA 01608