Business Email Compromise: 10 Ways to Prevent 5 Common Scams

You or your company could be one of the 22,000 victims of a business email compromise scam and never even know it.

That’s because it’s no longer that Nigerian prince asking you to wire him money so he can save his people – hopefully you, like most people, know emails like that are BS.

Now the scam is less obvious: it’s your CxO emailing you, asking you to pay for the latest business expense.

Except, it’s not actually your CxO emailing you, there is no business expense, and now your company’s money is in the hands of a cyber criminal halfway across the world.

This is the new kind of email fraud and it’s making 21st-century con artists filthy rich.

In 2016, The FBI issued a public service announcement stating that roughly $3.1 billion has been stolen from thousands of enterprises in 79 different countries.

In fact, since January of 2015, there’s been a 1,300% increase in exposed losses.

Today’s cyber criminals are smart, meticulous, and dangerous.

In order to protect yourself and your company from business email compromise, we’re going to share with you the 5 most common types of fraudulent emails used in this form of scam and the 10 best ways you can guard against them.

5 Types of Business Email Compromise

Business email compromise scams are a sophisticated, high-level cybercrime that are difficult to detect because they rely heavily on deception.

To pull one off, cyber criminals have to dig deep into your company records to understand your purchasing habits and the personnel who handle financial transactions, then gain access to a specific person’s account in order to deceive another employee with a fake email.

To help you detect these emails, here are the 5 main types you might receive in your inbox:

1. High-Level Executive Fraud

Often referred to as “CEO fraud” or “business executive fraud,” the cyber criminal will pretend to be a high-level executive (CEO, COO, CFO, etc.) and will send an email requesting an immediate and urgent wire transfer to an account that the criminal controls.

2. Vendor Invoice Fraud

The cyber criminal will pose as one of your vendors and send a phony email invoice. Once you pay, those funds are deposited into the criminal’s account.

This is known as “the bogus invoice scheme.”

3. Attorney Fraud

Exactly as the name suggests, the cyber criminal impersonates a lawyer or legal firm you work with and usually contacts the CEO or some other employee or executive who can handle payments.

Often, they’ll claim they’re handling time-sensitive and confidential matters that immediately require funds to complete.

4. Employee Account Fraud

The cyber criminal will hack into an employee’s email, retrieve his contacts, then send invoices to one or more of your customers or clients. If they end up depositing money into the cyber criminal’s account, you’ll likely never know it happened unless your customers or clients follow-up on the invoice payment.

5. Information Request Fraud

In this case, instead of attempting to defraud you of funds, the cyber criminal will hack into an employee’s email account – most likely in HR – to find critical information about other important or high-level executives in the company.

This information can then be used to carry out other types of scams (like man in the middle attacks or those we’ve covered above).

10 Ways to Guard Against Business Email Compromise

First of all, you need to understand that a company of any size is at risk of being targeted and attacked this way.

Secondly, business email compromise requires every employee on every level to know exactly what the risks are, what to watch out for, and what to do to minimize the risk of falling victim to this type of fraud.

Here’s our list of 10 ways to protect yourself and your company; put them into practice ASAP to increase security and safety.

1. Consistently educate employees on cyber security best practices, new company policies, and any other measures required for optimal protection from cybercrime.  
2. Always require multi-level authentication for sensitive accounts. The more information required to log in, the harder it is for a cyber criminal to hack the passwords and pins.
3. Confirm all requests for money by phone or in-person. Refuse to send money via an emailed link until you’ve confirmed the request is legitimate outside of email.
4. Don’t use a free email server. Instead, use either a self-hosted or subscription service for all email exchanges.
5. Run regular “spoof tests” to ensure your email client is able to prevent a cyber criminal from posing as a fellow employee or executive.
6. Always double check emails sent from executives, especially when they request secrecy and immediate transfer of funds to an account.
7. Verify changes in vendor payment location by having your vendor’s personnel sign-off on this change.
8. Pay attention to your customers’ habits and preferred payment methods. If they always correspond through their business email but then start sending emails through their personal account, contact them directly to confirm they’ve sent those emails.
9. Delete all your spam and never click on links from email addresses you don’t recognize. These often contain malware which will give a cyber criminal access to your machine and information.
10. Work with a managed IT security company that knows how to lock down your systems, implement proper security policies, and educate everyone in your organization on how to identify business email compromise.

Implement these measures while being aware of the 5 main business email compromise scams and you’ll be able to mitigate the potential of falling prey to cyber criminals.

While we outlined quite a few things you can do on your own to protect yourself and your organization from business email compromise, hiring a professional IT security company will help you quickly establish security systems and protocols to guard against cyber criminals.

An IT security company can help you generate risk reports and identify vulnerabilities within your current system, and then implement the proper strategies to correct any of your security flaws. They are a critical part of a high-functioning IT security plan.