Beware of business email compromise

Here’s what you need to know to avoid falling prey to a phishing attack that’s rising in popularity.

February 17, 2021
Phone on desk

Running a business amid a global pandemic is no small feat, and we applaud all of you who are finding ways to keep humming along despite the many obstacles (and rewards!) of managing a remote workforce. Unfortunately, one of those obstacles is the increase in scammers who are taking advantage of displaced workforces. One key example: There’s been a marked increase in business email compromise scams over the past year. With that in mind, we decided now was the perfect time to share more about this threat to your company, accounts, and data. Let’s dive in.

What is BEC?

Business email compromise, or BEC, is a type of phishing attack in which an attacker hacks into a corporate email account. By posing as the owner, an executive staff member, or familiar vendor, the hacker sends emails in an attempt to convince the email recipient(s) to pay invoices, transfer funds, purchase goods, or provide confidential information. By spoofing a trusted entity, the attackers can capture the funds or data requested as it’s offered up willingly by the unknowing victim.

This type of attack is also known as CEO fraud, because the scammer may pose as the company’s CEO, or email account compromise (EAC), as the requests come via email. Regardless of what you call it, the process is pretty much the same.

Cybercriminals like to use an email feature called “auto-forwarding email rules,” which allows the owner of an email address to set up “rules” that forward (or redirect) an incoming email to another address if certain criteria is met. This way, they can view incoming emails without having to log into an account each day and possibly trigger a login security warning. This means they are able to divert, or “fork,” conversations from compromised accounts to impersonated ones.

In CEO fraud, the criminals might send a few conversational emails back and forth to build trust but will inevitably make a frantic request to come to their aid — e.g, asking the target to make a payment to a different bank account or to purchase gift cards and send them the card details. It’s always urgent, and the request is usually accompanied by a plausible reason for skipping protocol. They might be “in a meeting” and can’t be disturbed — a deterrent to confirming the request — or ask for secrecy because the purchase is a gift. The employee is unlikely to question the request because they believe they are communicating with a company executive.

Invoice and payment fraud is popular with scammers because they have the opportunity to score big — often with minimal effort — resulting in significant loss to your business of money, goods, or services. This kind of email spoofs vendors, including well-known ones, to catch the attention of the recipient. And because businesses often contend with a plethora of vendors and invoices, the chances of a phony invoice getting paid are pretty good, especially with employees working remotely with less direct team communication. It’s easy to assume that the vendor on the other end of the email thread is who they say they are: a person or company you've known and communicated with for some time. An invoice comes through from a vendor you think you know or from a recognizable name (like Zoom, PayPal, Amazon, etc.) and chances are, it’s going to move on through the accounts payable process.

How can you protect yourself?

When it comes to preventing attacks from hackers, spoofers, scammers, or others whose intent is much more serious than their names would lead us to believe, the first strategy is a good offense — starting with awareness and education, followed by communication and a built-in system of checks and balances.

It’s also important to be extra mindful of the email headers and where the request is coming from. And especially for accounts payable departments or anyone dealing with invoices, it’s wise to inspect changes to financial processes and follow up on all suspicious emails with a verification phone call. 

Additionally, multifactor authentication (MFA) is another key security feature to improve your business’s email security. We recommend you also check with your vendors and other trusted third parties you work with to ensure their business email systems include MFA. By being aware of trending scams and promoting safe practices within your business, you and your employees can protect your assets from business email compromise as well as other types of cybercrime.

Have questions? We’re here to help! Contact Treasury Management at 402.323.1557 or visit our Treasury Management page.

  • Business
  • Running a Business
  • Fraud
  • positive pay

Learning Center articles, guides, blogs, podcasts, and videos are for informational purposes only and are not an advertisement for a product or service. The accuracy and completeness is not guaranteed and does not constitute legal or tax advice. Please consult with your own tax, legal, and financial advisors.