April 3, 2023 | Article | 7 min Business insights
Business email compromise scams—also known as BEC scams—can do untold damage to your company and reputation. Recognizing compromised emails is the difference between safe guarding your business or becoming a victim. Learn more about BEC scams and how you can protect your business and your bottom line.
Business email compromise scams—also known as BEC scams—can do untold damage to your company and reputation. According to the FBI, victims of BEC scams lost $2.4 billion in 2021, exceeding losses from ransomware attacks nearly fifty-fold!
BEC scams account for a third of cybercrime losses, and they only get more prevalent each year. Advancements in computer technology can do wonders for your business—but they open several back doors for scammers and hackers.
Vigilance and training are the only ways to combat business email compromise scams. If you or your employees aren’t trained to recognize suspicious emails, scammers can quickly make off with thousands—if not millions—of dollars before anyone ever notices. Let’s unpack everything you need to know about BEC scams, their harmful impacts, and how to recognize them before it’s too late.
What Is a BEC Scam?
A business email compromise scam is a type of social engineering phishing scam where an attacker impersonates a high-level executive, business partner, team member, or trusted vendor over email. As John Fick, SVP Director of Fraud Prevention at HTLF, puts it, “Most of the losses that HTLF is dealing with is either with checks or business email compromise, which is, for a lack of better word, hacking into somebody's email, pretending to be the "CEO", and sending emails.”
The attacker’s goal is to manipulate a target into handing over personal or protected company information, allowing them to steal identities and siphon funds without anyone noticing.
A BEC scammer might send you an email from an address you think you recognize. However, there’ll be something different about it. You'll notice it upon scrutiny, like an underscore instead of a dash or an extra letter that blends with the rest. But in the fast-paced business world, you or your team members might not notice the difference until it’s too late.
While many BEC scams target the entire organization, some scammers narrow their victims down to the Accounts Payable department. These criminals attempt to maliciously install malware to steal funds from your accounts and rely on human emotion and error to send them money directly.
“Business email compromise is a huge deal that can be particularly devastating to a small business,” says Tracy Swaim, VP Fraud Risk Manager at HTLF. “Business owners may think they’re paying a vendor or changing an employee’s account number for their payroll deposit, but it may be someone with malicious intent.”
According to Verizon’s 2021 Data Breach Investigation Report, most BEC scams are financially motivated. But money isn’t the only thing scammers might be after. Some might come for account credentials, sending you a fraudulent link to a fake login page.
This login page will look almost identical to what you’re used to, as scammers are masters of disguises. But by filling out the forms, you’ll pass all your account credentials on to a sophisticated ring of cyber criminals poised to do untold damage to you and your company.
Other BEC scammers will ask you to send gift certificates, which are harder to track and its nearly impossible to recover the funds. According to the FTC, anybody asking you to send the serial number on the back of a gift card is trying to scam you.
BEC scams are social engineering scams, meaning they rely on human interaction rather than hacking, malware, and ransomware. You can think of social engineering scammers as silver-tongued con artists trying to talk you into something that doesn't seem right.
How Does a BEC Scam Work?
With many competing definitions, let’s narrow BEC scams down to their simplest form. Business email compromise scams are phishing attacks in which the victim believes they’ve received an email from a trusted source, genuine business, or regular vendor.
BEC scams don’t necessarily have to “compromise” someone else’s email. Most look like someone else's email at a glance, is known as spoofing.
Next, the scammer will urgently ask you for money: They may ask you to divert payment to a new account, change banking details for future payments, or make a wire transfer ASAP.
Because BEC scams—like other social engineering attacks—don’t rely on malware, your cybersecurity systems won’t detect them. They just look like another email, making them dangerous for untrained employees.
Scammers use three tactics to “compromise” someone’s email: email impersonation, email spoofing, or email account takeover. But how can you recognize all three?
- Email impersonation is when the scammer uses an email account similar to the one you see daily. Let’s say you get regular emails from VendorOne@work.domain.com. A scammer might send you an email from VendorOne@work_domain.com. The difference between a period and an underscore could mean millions of dollars lost to a BEC scam. Now, imagine it’s 11:00 AM on a busy Monday morning. Would you pick up on the difference?
- Email spoofing is when the scammer modifies an email’s envelope and header. These modifications trick your server into believing the message came from a corporate domain. It may look like the email is coming from a real address, but it’s not them on the other side.
- Account takeover is when the scammer can log into the corporate email account through hacks or stolen credentials. Now, you’ll receive an email from VendorOne@work.domain.com, it'll have all the proper back-end credentials, and it’ll even sound like them.
Account takeover scams are the hardest to detect, meaning you must pay extra attention to content. If something sounds off, it probably is. A phone call to a trusted and verified phone number can confirm a genuine request or reveal a scammer.
Types of BEC Scams
Now that we know what business email compromise scams are and how they work, let’s unpack the most common playbooks scammers use to steal money or information. If you miss a spoofed or impersonated email, or if the scammer gains access to a corporate email address, the body of their message will likely unveil their true intentions.
Among the most common BEC scams, account compromise is when a cybercriminal gains access to an employee’s contact list. From there, they’ll mine it for company vendors, suppliers, and partners. Then, while impersonating the employee (perhaps from the accounts receivable department), they request payments to a new account controlled by the scammers.
This playbook involves scammers impersonating or taking over the CEO’s—or another C-Suite executive’s—email account. They’ll ask a lower-level employee to make a wire transfer, purchase gift cards, or reveal sensitive company information/credentials. The employee, thinking they’re in contact with the boss, might oblige without hesitation, fearing they could lose their job if they don’t obey.
Scammers can also use CEO fraud to take advantage of B2B relations. The CEO at company A might get a fraudulent email from the CFO at company B. They’re used to doing business together, so the CEO doesn’t think twice.
Fake Invoice Scams
In these schemes, the scammer will gain access to or impersonate an employee email account responsible for payment processing. They’ll use it to contact other team members, asking them to pay a missing invoice urgently. The scammer might say, "There was a mistake, and we need you to pay this ASAP. The company will reimburse you.”
Payroll Diversion Scam
Payroll diversion scams involve impersonating an employee and attempting to redirect legitimate payroll payments from their intended accounts to ones under the attacker's control. They differ from other BEC scams, as the attacker doesn’t pretend to be a VIP. Instead, they pose as a regular employee trying to change their direct deposit information with HR.
This play involves compromising a member of HR and sending emails to gather confidential information about employees, investors, and business partners. Typically, data theft lays the groundwork for a more coordinated attack on the company.
Some brazen scammers will impersonate the company attorney and request funds from employees or the CEO. Scammers will usually wait until Friday afternoon or right before a holiday break to send these emails, as their targets are likely in a rush to wrap things up before the weekend.
How Much Damage Can a BEC Scam Do?
Business email compromise scams can affect companies large and small. Nobody is safe from scammers, exemplifying the need for preparedness and rigorous training. Don’t believe us? Let’s dive into real-world examples of people and companies that thought they were safe from BEC scams.
Scammers Hit an Entire Town
In July 2021, Peterborough, New Hampshire, lost $2.3 million to BEC scammers using spoofed email accounts. The scammers used forged invoices to con town employees into sending taxpayer money to the wrong accounts. When they recognized the scam, the money was converted to cryptocurrency and never recovered.
The Toyota Swindle
The Toyota Boshoku Corporation, a primary European supplier of Toyota auto parts, lost ¥4 billion (or about $37 million) to a BEC scam. According to Forbes, cybercriminals convinced someone with financial authority to alter account information, thus sending money to accounts controlled by scammers.
The Tech Giants
Even the most powerful companies aren't impervious to BEC scams. Between 2013 and 2015, Evaldas Rimasauskas stole over $120 million from Facebook and Google by posing as a fake supplier and sending forged invoices.
The One Treasure Island Scam
One Treasure Island is a San Francisco non-profit aimed at helping low-income and homeless people. In late December 2020, scammers stole $650,000 intended for affordable housing by impersonating the hired contractor. The extent of the scam came to light when the real contractor never got the money.
The Entire Puerto Rican Government
After a 6.4 magnitude earthquake rocked the island in early 2020, a finance director accidentally transferred $2.6 million to a fraudulent bank account. He received a compromised email from Puerto Rico Employment Retirement System asking him to remit payment to a new account. Thankfully, the FBI was able to freeze the funds before the scammers got away with it.
How Can You Avoid Falling Victim to a BEC Scam?
Because business email compromise scams rely on social engineering, your cybersecurity measures won’t do much to stop them. You and your team members must recognize a BEC scam when you see one and report it to the FBI’s Internet Crime Complaint Center.
Begin by practicing safe online routines and leveraging robust spam filters and secure email gateways. In doing so, you can easily weed out BEC scams altogether. If you’re looking to fortify your defenses further, consider some best practices for detecting and avoiding BEC scams.
Host Corporate Email Accounts
Web-based emails like Yahoo and Gmail are free and, therefore, appealing. However, they’re also significantly easier to spoof and impersonate than corporate accounts hosted on your company’s domain. Corporate accounts help build your brand reputation, as they’re more professional and trustworthy than web-based email.
Scrutinize Suspicious Emails
Whenever money or sensitive information is involved, take another look at the sender's address. Is it one you recognize, or is it different? Does the request circumvent established company protocol? If so, it’s likely a scam. Contact the sender (or whom you believe the sender to be) through their direct line (not what is listed in the email) to confirm the request. If they’ve been hacked, they’ll appreciate you letting them know.
Leverage Two-Factor Authentication (2FA)
2FA requires you to approve sign-ins to your corporate email account. For example, you might get an SMS message alerting you of a login attempt. If it’s you, then you’ll approve the login. If it’s not, you’ll know it’s time to change your password or alert the cybersecurity team.
Consider Dual Control Banking
Dual control banking requires two people to authorize and complete transitions and payments, including wire and ACH transfers. The first person (the initiator) creates the payment request. Then the second person (the approver) checks and approves the request. Think of it like a checks and balances system for wire and ACH transfers. BEC scammers might get past the initiator—but the approver can catch the scam before any money goes through.
Limit Social Media Use
Most people are too open with what they post on Facebook, Instagram, Twitter, and TikTok. Scammers can easily learn your date of birth, hometown, favorite foods, drinks, relatives, and vacation destinations by scrolling through your social media pages.
Think about the answers to your security questions: first pet, first car, mother’s maiden name, high school, favorite city, and so on. Could someone easily learn those answers (well enough to guess within a few attempts) simply by scrolling through your Facebook page?
Securing Your Business Starts Today
Now is the time to implement strategies to better protect your company’s finances and reputation. These strategies go beyond firewalls and malware detection to include rigorous training to detect BEC and other social engineering scams. Recognizing compromised emails is the difference between catching criminals or becoming their victim.
With a team of fraud experts, Citywide Banks, a division of HTLF Bank works diligently to provide education on the latest fraud trends and ways to better protect your business. Fraud mitigation tools such as check and ACH positive pay can help safeguard the funds flowing in and out of your business. Get in touch with Citywide Banks, a division of HTLF Bank today to speak with a commercial banker about best practices to reduce vulnerabilities and fight fraud.