How to Prevent Business Email Compromise
Cybercriminals are on the hunt for a large payout, and email is big game; focusing on how to prevent business email compromise should be a priority for every organization.
Why is email such a big target? We tend to forget how much sensitive information we share in our email communications during the course of our busy workdays. To the hacker, that information represents opportunity.
Millions of email accounts are hacked every year. The BIG payoffs, though, come when criminals use their unauthorized access to monitor emails – sometimes lurking in accounts for months – searching for ways to redirect money into bank accounts that they control.
According to a recent FBI report, these Business Email Compromise (BEC) schemes led to $1.8 billion in losses in 2020.
Good news – one person can stem the tide of these costly financially motivated scams. We’ll show you how to prevent business email compromise so you can help protect your organization from criminals. Read on to see how common email scams work – and simple steps you can take to help save your organization from a devastating financial loss.
Four Ways Criminals Get BIG $$ From Your Email
How exactly do hackers convert emails into cold hard cash? Following are examples of the four main types of fund (or wire) transfer scams that are the result of a hacker breaking into an email account:
- Upcoming Transaction: A couple purchased a new home and received an email from the mortgage company confirming the account number for their upcoming deposit. The couple sent the money, but the mortgage company never received it. It turned out that the email and the account number were fraudulent – sent by a hacker who had been monitoring the ongoing email conversations between the couple and their realtor, lawyer, and mortgage company. Unfortunately, this example is not unusual – the FBI reports that real estate email scams totaled more than $210 million in losses last year.
- Payroll Redirects: Criminals redirect an employee’s paycheck so it’s deposited into their own accounts. In one case, a hacker sent a request from an employee’s email account to the HR department requesting to change the employee’s payroll direct deposit to a different (fraudulent) account. The HR department did not have a process in place to verify the change, updated the account information, and sent the funds to the fraudster, not the employee. As you can see, it is crucial that everyone in an organization – not just IT – needs to learn how to prevent business email compromise.
- Fraudulent Vendor Invoices: In these classic scams, the criminal monitors the email communications, finds a real invoice, deletes it, and sends an email that looks like it is from the trusted source but instead has fraudulent wire instructions. In one case, a finance clerk received an invoice in an email that appeared to be from a known vendor. The invoice was fake and so were the wire instructions. The clerk transferred money to the hacker’s account – not the vendor’s.
- Fake Executive Emails: Hackers know that a directive from a high-ranking executive within an organization is frequently followed without too many questions. Commonly, hackers send emails that appear to come from an executive, directing finance clerks to transfer money. All too often, employees fall for the trick and send money to the wrong place. Some scams can be more sophisticated: in one case, a hacker “spoofed” (pretended to be) an executive and emailed a finance employee requesting the customer accounts receivable report, along with customer contact information. The hacker then used that information to email the customers directly about the amounts that they owed – and attached instructions for sending payments to the hacker’s own account.
Programmed to Deceive
Wondering how someone could be tricked so easily into transferring funds? Hackers often gain extensive knowledge from lurking in emails, which they use to craft sophisticated scams that appear legitimate. Some criminals may duplicate company logos and closely copy the formats of invoices or documents in order to make their fake (phishing) emails look real and trick the recipient. This is another reason everyone in your organization needs to learn how to prevent business email compromise – just one person’s mistake can open an organization to ransomware, financial fraud, data theft and much more.
Plus, the recipient expects to hear from someone in the conversation, such as the mortgage company, so foul play usually isn’t suspected until it’s too late.
Red Flags that Indicate Something’s Phishy
Anytime money is involved, keep an eye out for red flags in emails that indicate something isn’t “quite right.” Red flags can include:
- An incorrect sender address
- A reply-to address that’s different from the sender’s
- A sense of urgency
- A last-minute or unexpected change – especially when it involves an account number or bank
How to Prevent Business Email Compromise
If you detect or suspect any strange issues with financial transfers, before you send any money or information:
- Check the email carefully for signs of fraud: Use the red flags (above) to determine if your email or another person’s account could have been hacked and used to glean relevant information.
- Use out-of-band verification: Check to see if a request is legitimate by using a method other than replying to the email to contact the sender. Instead, use telephone, text, or in-person. Don’t use any numbers or links that are provided in the sender’s emails – these may lead directly back to the hacker.
- Watch for signs that your email is hacked: Signs include emails from your account that you didn’t send, messages marked as “read” which you didn’t read, or mail that’s being moved into folders unexpectedly. Remember that it might not be your email that was hacked; it could have been someone else’s in the conversation.
- Use multi-factor authentication (MFA): MFA is an added layer of protection to verify it’s really you who is accessing your account and not a hacker. Most MFA programs ask for two out of three of the following factors:
-
- Something you know – such as a username or password
- Something you have – a physical token or authenticator app for example
- Something you are – such as a fingerprint or retinal scan
An attacker likely will have only one of these factors, such as a password. The extra MFA factor is a simple way to keep hackers out of your account. If MFA is an available setting for your email account, use it!
- Practice good password hygiene: See our password cheat sheet for easy tips on login security. Create unique passwords for different accounts (in other words, don’t re-use passwords) and use a password manager to store your passwords securely in an encrypted vault. Make sure to use MFA and a strong master password to protect your vault.
- Take advantage of available security features: Financial institutions frequently offer MFA to protect online accounts and may also have extra processes that you can take advantage of to minimize fraud. Contact your financial partners to find out how they protect your transactions.
Organizational Strategies to Prevent Business Email Compromise
- Implement MFA for your organization’s accounts to actively thwart email hackers.
- Train your team to identify on how to prevent business email compromise. Check out our free tips sheets on how to stop phishing attacks and how to prevent business email compromise. Feel free to send these tips sheets to your entire team as a first step in free training!
- Establish clear policies regarding fund transfers, payroll changes, etc., for instance:
- Implement out-of-band verification for all fund or account change requests
- Require 2 or more approvals on any financial transfers or account modifications
- Call for professional help if you suspect your organization’s email has been hacked.
Don’t let your email be the victim of a cybercriminal in the hunt for a big payoff. Be proactive – learn how to prevent business email compromise and stay alert for signs of fraud. If you need help creating policies to prevent business email compromise or incident response services if your organization has been attacked, contact us. Our expert team is ready to help.