How to Avoid Business Email Compromise Attacks

For as long as businesses have used email in their financial processes, criminals have tried to exploit it. Email scams are nothing new, but the threats they pose to companies are constantly growing and evolving as attackers’ methods grow more and more sophisticated.

Business email compromise (BEC), for example, poses huge threats to companies large and small. Also known as “man-in-the-middle” attacks, these schemes involve using hacked or spoofed email accounts as part of their financial social engineering efforts: Criminals use compromised addresses, phished credentials, or look-alike accounts to trick business stakeholders into completing fraudulent transactions—often by communicating in a way that makes such transactions seem both urgent and important.

BEC may sound like a low-tech kind of cybercrime, but that’s partly why it’s so hard to fight (and so common across industries). It’s also growing more sophisticated as criminals look to hide their efforts from their victims by taking advantage of email system features such as auto-forwarding functions, establishing rules to send emails related to the scam to hidden folders, or creating fake email chains using subject lines with “Re:” or “Fwd:.”

Companies can be slow to realize they’ve been defrauded through BEC, and often reticent to report it once they do. But in recent years, more and more companies are realizing (and admitting) they’ve been impacted.

According to FBI data, there was a 100% increase in identified global exposed losses due to BEC and other email account compromise (EAC) scams between May 2018 and July 2019, with BEC incidents reported in all 50 states and in 177 countries. Over the last several year period leading up to July 2019, companies lost at least $26 billion to such attacks. And in 2019 alone, BEC attacks led to nearly $1.8 billion in losses—totaling more than half of all losses due to cybercrime ($3.5 billion).

Facing a Cross-Industry Problem

No two BEC scams are exactly alike, and both small businesses and big companies can be targets. Manufacturing and construction firms are most commonly affected, in terms of industry, but organizations across all sectors are regularly impacted by BEC. No one is immune.

In recent years, for example:

• Two of Puerto Rico’s government-owned corporations sent over $4.1 million combined to the fraudulent accounts of BEC scammers in December 2019 and January 2020. The criminals had infiltrated the email system of the island’s Employee Retirement System (ERS) and sent messages to the agencies claiming that ERS’ bank account information had changed.
• A Chinese venture capital firm lost $1M in 2019—intended for an Israeli startup it was investing in—to scammers who used lookalike emails to communicate with parties on both sides of the transaction.
• After their CFO plugged his Microsoft credentials into a phishing URL, Unatrac Holding Limited (UK-based export sales office for the construction equipment company Caterpillar) fell prey to a fake-invoicing scheme—issuing 15 fund transfers totaling nearly $11M in losses.
• Scott County Schools in Kentucky lost $3.7M in 2019 in a vendor-payment scheme that included forged documents attached to emails. Criminals stole $1.75M from St. Ambrose Catholic Parish in Ohio using similar tactics just weeks later (tricking Church leaders into thinking that the construction firm it was working with had changed its bank account).

The threats of BEC attacks also extend further than just the financial losses.

BEC scams succeed because they target specific individuals in the business, and use what they get from those targets to extract more—more sensitive information (or more emails about it), more system or account credentials, and so on. The communications may lead to a single transaction, or drag out the conversations to manipulate people into offering up more compromising information.

C-level executives are hardly the only ones targeted, either. In fact, research showed that BEC attacks on C-Suite executives decreased by 37% in the first quarter of 2020 compared to the final quarter of 2019. BEC criminals are more interested in the finance employees who handle day-to-day transactions. (Attacks on finance employees shot up by more than 87% in Q4 2020.)

Other common targets include HR professionals, IT staff, payroll teams, and anyone else who may have information or access to documents that BEC scammers want to obtain.

Depending on what that information is, BEC attacks can lead to further data breaches and/or the exposure of customers’ personal or financial details. This can be especially damaging for companies in regulated markets like finance and healthcare, as they are subject to steep fines (and the potential for major reputational damage) in the event of such security incidents.

Best Practices to Avoid Business Email Compromise Attacks

Since BEC scams are getting more sophisticated all the time, staying ahead of email-security incidents starts with training, and continues with technology.

For starters, following know-your-customer rules and applying dual approval procedures to most transactions can lower the risk of BEC incidents succeeding.

Companies should have strong policies and procedures in place around how to handle high-risk transactions. Invoices, high-dollar ACH payments, and wire transfer requests are especially worthy of scrutiny, by two or more individuals, for their legitimacy. (In Q3 2020, attacks that employed invoice or payment fraud jumped by 155% over Q2.) Any updates to payment or contact info, or changes in account numbers, should also be reviewed by two or more individuals.

Companies must also ensure that all employees who access sensitive data or authorize transactions are trained on basic email-security best practices, such as not clicking unknown links, and that they understand what a BEC attack looks and feels like. Close-reading the ‘from’ and ‘reply-to’ addresses on any emails related to things like payment requests or log-in information, and avoiding clicking any documents from unknown senders, are especially important.

Employees close to the business’ finances should be also advised to limit the amount of information they share on social media about their roles in the company, since criminals scour social media for BEC targets.

Requiring multi-factor authentication for logging into email and other web-based systems can limit the potential for account takeovers, as well, but it isn’t a foolproof hedge against credential theft (which is rising, according to Verizon). Experts advise IT leaders to monitor accounts and test internal teams with simulated phishing and other malicious email scams regularly to learn which staff members are most prone to falling for a scam (and thus most in need of extra training).

IT systems that monitor for common BEC keywords (like “important” and “urgent”) can also help by firewalling problematic emails or flagging certain ones for multi-party review.

Staying Prepared for the Future

Email scams are, unfortunately, here to stay. In fact, BEC efforts will likely become vehicles for even more complex attacks in the years to come—as emerging trends like deepfake audio and others combine to create new threats.

As those threats emerge, innovators will create tech-driven countermeasures to combat them. Already, companies offer artificial intelligence (AI) and machine learning tools aimed at the BEC problem; startups are also exploring how new approaches to data science can assist with prevention and detection.

However even as the technology advances, there’s no substitute for sound education and awareness programs, well-defined policies and procedures, and establishing a strong culture of mindful scrutiny around high risk activities like payments. A strong culture of diligence in these areas is a company’s best protection against CEO fraud and the impact it can have on your company’s success. Contact your Treasury Management Officer, Relationship Manager or Find a Banker, to learn more.