The Hidden Dangers of Business EmailCompromise
Business email compromises (BEC) are one of the most common ways cybercriminals go about turning your money into their money. Indeed, this nasty piece of cyber crime caused about $2.77 billion in losses in 2024 (according to the FBI's Internet Crime Complaint Center). BEC works by crooks impersonating atrusted person and tricking people into giving up information and/or access. We're going to look at two examples of business email compromise to show how they can cost your business big-time.
The Lurker
This usually starts when a cybercrook gets access to a key employee's email account. Someone responsible for accounting, for example. With this basic access, the hacker just hangs out. . .reviewing emails to learn about your company's key players, your customers, and your vendors. They're looking for who has access to what. And they're keeping an eye on things like conversational tone; how each person phrases things.
Armed with this info, they'll create email rules to move matching legit AP invoice requests to an out-of-the-way folder (so you won't notice their arrival). With the trap set, they only have to wait for legit payment requests to arrive.
Using the legit requests as templates, they'll quickly send fake invoices matching the hidden ones - only changing the account & routing numbers - and allowing those to deliver to the main inbox. So when your customer pays what they think is your invoice, they're actually sending the funds to the bad guys instead of to you.
The Sneaky Sneaker
A while back, the office administrator at one of our clients received an email that appeared to be from one of his employees. It requested the form to change the direct deposit information for the employee’s paycheck. Fortunately, he contacted the employee directly who didn’t know anything about it, stopping the ruse then and there. Had the bad guys been successful and been able to divert the employee’s paycheck, surely the employee would be aware of the problem on payday and reached out to her employer. So the bad guys would have only gotten away with a relatively small sum. But this is the economics of most cybercrime against small businesses. Bad guys aren’t looking for a big score. They’re playing a volume game and targeting thousands of small businesses. They only need a fraction of those to be successful to add up to big money.
Small Businesses Are Prime Targets!
Attackers love small businesses because they usually lack dedicated IT or security teams. They rely on email for almost all vendor and customer communications, and they seldom have processes and controls for approving payments or verifying identity. And most small business staff simply aren't educated on the latest techniques bad guys use. But prevention is possible - and affordable. You don't need a huge budget to make your company an unattractive target. Steps like:
Enabling multi-factor authentication (MFA) on all email accounts.
Ongoing security awareness training to help staff spot phishing and spoofing attempts.
Requiring verification for payment changes (call or text confirmation)
Monitoring your Microsoft or Google environment for suspicious logins or other abnormal activity.
Business email compromise isn't a big company/small company problem. And it doesn't care if you use Macs or PCs. BEC is a people problem. If you're concerned about your risks and need help developing processes to keep your company safe from cyber criminals, call us at 614-218-8798. We'll be glad to help