Business email compromise has become an increasingly significant issue for companies in recent years, costing businesses an estimated $43 billion. But what is BEC, and how can you keep your company from these malicious cyberattacks? The concierge cybersecurity experts at BlackCloak have the answers.

What is Business Email Compromise (BEC)?

Business e-mail compromise, or BEC, is a phishing scam that tends to target high level executives, finance personnel and wealthy individuals who are responsible for initiating wire transfers. BEC scams were previously referred to as man-in-the-email scams, but essentially they are any malicious actor’s attempts to compromise a target’s email account. Obtaining access to an account can be achieved through email spoofing, use of keyloggers or successfully phishing individuals and collecting their user credentials

Once an email account has been compromised, the attacker will intercept emails and initiate fund transfer requests to other employees, business partners, your family office or vendors. These requests will include payment instructions that redirects the money to a criminal account. You may never even see these emails as attackers can adjust the email routing rules and keep them hidden from your purview. You may only become aware of the situation once the money as gone out the door..

In 2018, the amount of money lost by companies to this scam doubled, but the criminals will target anyone who has a lot of money. They tend to mark their requests for funding urgent or link them to dire consequences, as cybercriminals want you to be in an emotional state so you are not thinking straight.

How can you protect yourself and your business against BEC?

Business email compromise protection looks similar to many forms of business identity theft protection, with robust digital protections and valuable cybersecurity training. Follow these steps to improve your BEC protection:

  1. Use anti-virus software on your systems and keep them up-to-date.
  2. Protect your e-mail account. Use a strong password and at least two-factor authentication on all of your e-mail accounts. If your email account has security questions attached to it, change them to something more obscure. For accounts which insist on using your mother’s maiden name or other easy-to-obtain information, it is often a good idea to lie. Just make sure that you keep track of the false answers.
  3. Using a password manager can help you use stronger passwords without needing to remember them all and you can store the responses to security questions here as well and keep them protected.
  4. Have a policy of verifying all fund transfers by phone or in person. Contact individuals based on the phone number you have on file and not what is listed in the email.
  5. Carefully review fund transfer email requests. Pay attention to the email address and timing of the request (is it out of the ordinary to be receiving such a request?). Thieves may create a free email account that uses your contact’s name, or which is one character away. For example, the real address might be doe@… and the thieves might make jonidoe@… Perhaps you sent the payment last month and you are not scheduled to send another payment until 2 months from now.
  6. Keep yourself educated on new techniques and scams. Education is your strongest weapon against BEC and other techniques that target the human factor.

The key to avoiding falling victim to a BEC scam is to educate yourself, pay attention, and always verify the sender before transferring money. Make sure that everyone you deal with also stays up-to-date on these types of scams and follows proper procedures when transferring money, especially to overseas accounts. Retrieving money sent to a scammers’ account can be almost impossible, so it is very important to avoid this kind of scam. 

If you do fall victim to a BEC scam, you should contact your bank immediately regarding the incident, update your computer systems and software and scan your systems for malware. If malware is present on your systems you will want to remove it before you update account passwords, etc.

For more cybersecurity tips, review BlackCloak’s executive cybersecurity blog.

If you’re interested in our concierge cybersecurity services for executives and high-net-worth individuals, contact our experts today.