How Businesses Can Defend Against Business Email Compromise Scams

What are business email compromise scams?

Business email compromise scams are a specific type of crime that relies on social engineering – tricking a target into believing and acting a certain way. In BEC scams, a fraudster attempts to defraud a business by posing as someone a target trusts, such as a company executive. 

The FBI has historically identified five main types of BEC scams, but all the types typically rely on a fraudster gaining access to legitimate business email accounts. These scams also sometimes use email addresses that are made to look like legitimate accounts in a process called “spoofing.” But no matter how a fraudster carries out these attacks, the scams almost always rely on a sense of urgency and appeals to authority. 

For example, a cyberattacker involved in a BEC scam may compromise a company official’s email account and then send an urgent email to the accounting department late on a Friday afternoon. The email may insist that the business’s accountant immediately wire funds to a third-party business partner to complete an ongoing project on time. Of course, the supplied account is actually controlled by the fraudsters, but the unsuspecting employee may believe this is a legitimate request and transfer the money. 

In a new twist, the IC3 said it has observed fraudsters taking advantage of potentially lax remote cybersecurity arrangements to also carry out BEC scams via online meeting platforms. In this variation of the attack, a fraudster would compromise a business leader’s online meeting credentials before inviting a targeted employee to a video meeting. In the meeting, the fraudster would claim to be having audio and visual connection issues before issuing wire-transfer instructions. Indeed, BEC scams were part of a rise in business scams during the COVID-19 pandemic, when more people started working from home. [Related article: Cybersecurity Tips for Working From Home]

How can I prevent business email compromise scams?

Business email compromise scams can be difficult to defend against, as they largely rely on exploiting human psychology rather than technical vulnerabilities. This means that many technological methods of securing computers and other devices or systems from hackers don’t work against BEC scams. [Related article: Is Your Antivirus Software Really Protecting Your Business?]

Even so, being targeted by BEC scams is not inevitable. Some best practices to improve cybersecurity in general can also prevent BEC scams. Even some quick cybersecurity tips that take less than an hour to implement can make a difference.

For BEC scams in particular, these defensive actions can better protect your business:

1. Understand the threat. The first component of a strong defense is simply awareness. Learn how to identify common BEC scenarios and tactics, such as emails with a tone of extreme urgency and impersonations of a trusted vendor or executive. Always check an email sender’s domain name, and never click a link unless you’re sure you are being directed to a secure, authentic website.
2. Educate your employees. It’s not enough for senior executives or IT personnel to understand BEC scams. Train all employees on how to recognize BEC attacks and what they should do if they believe they are being targeted. You could even test their recognition by sending periodic phishing tests. [Related article: How to Protect Your Remote Workers From Cyberattacks]
3. Strengthen your IT department. Consider employing a dedicated cybersecurity professional or offering to fund cybersecurity training for interested IT employees. Many of the best information security certifications include education on BEC scams and how to secure businesses against them.
4. Secure your mailboxes. While BEC scams rely on social engineering, the attacks may start with a fraudster gaining control of a target’s email account. Require your employees to create unique, strong passwords for each account. You could also quash BEC scams by securing your company email accounts and devices with controls like two-factor authentication and virtual private networks (VPNs). The FBI also recommends enabling alerts for foreign logins. 
5. Overhaul your payment processes. BEC scams hinge on manipulating a single authorized employee into sending a wire transfer. You can lessen this risk by building redundancies into the payment transfer process. For instance, develop a protocol for payment approvals, requiring a second employee or executive to validate and approve all money transfers. You should also require employees to confirm money transfers through a second communication medium, such as talking in person or over the phone. 
6. Create a contingency plan. Even with all the proper measures, a company could still fall victim to a BEC scam, so you need a plan for that scenario. This plan should lay out concrete steps, listing who is responsible for immediately contacting the FBI and your business’s financial institution.

What should I do if I’ve been targeted by a business email compromise scam?

If you believe you’ve been the victim of a BEC scam, especially if a money transfer was initiated, it’s important to act immediately. The FBI recommends contacting your business’s financial institution so it can tell the receiving bank to freeze the funds. You should also ask your financial institution to attempt to recall the money.  

The FBI also suggests immediately contacting your local FBI field office to file a complaint with the IC3. The IC3 Recovery Asset Team (RAT) specializes in freezing victim funds that were transferred under fraudulent pretenses. To date, the RAT has a success rate of 74%.

Within your company, you’ll want to assess how many email accounts the attacker targeted and see if they managed to compromise any other systems. You should alert employees to the breach – not to create panic but to reinforce your business’s cybersecurity protocols.  

What is the future of business email scams?

The data from the FBI report makes it clear: Business email scams are increasing. Of course, that doesn’t mean your company is guaranteed to be attacked. But as technology evolves, it’s possible that such internet crimes will become more sophisticated and convincing, making it easier for businesses to fall prey. Still, with the proper procedures in place, businesses can at least get a head start on any attacker trying to defraud them.

In the event of a successful attack on your business, you can mitigate the consequences if you already have a response plan. Read our complete small business guide to cybersecurity for more guidance on preventing and responding to cyberattacks.