A Small Business Owner’s Guide to Business Email Compromise

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received nearly 20,000 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints. Victims reported losses of nearly $2.4 billion, a 26-percent increase over similar losses reported in 2020. In fact, over the last 6 years, the combined domestic and international dollar loss from these crimes has exceeded $43 billion, with the average cost per attack totaling $120,000.

Keep reading to learn all about BEC/EAC attacks, how they work, how they put your business at risk, how you can prevent them, and what to do if your business email has been compromised.

What is Business Email Compromise (BEC)?

Owners and employees alike have come to rely on email to conduct business, and electronic funds transfers (EFTs) have become commonplace. Cybercriminals have developed several tactics to exploit this dependency.

BEC scammers attempt to infiltrate businesses by gaining access to company email accounts or creating fake ones. While some BEC attacks use brute force hacking methods, most employee social engineering tactics. These tactics allow cybercriminals to bypass an organization's fraud detection systems. Generally, employees want to be helpful and, if convinced a request is coming from a co-worker or supervisor, will cooperate.

“Cyber criminals know the tactics that work best on good people who are busy and just trying to carry on with day-to-day business,” explains Zach Milstead, Chief Information Security Officer (CISO) at Guaranty Bank & Trust. “They also know that these tactics are often more effective that trying to force their way into targeted systems.”

Because they don’t involve a direct breach of a company’s servers, some cyber liability insurance policies that cover losses from malware may not cover BEC losses.

What is the main goal of Business Email Compromise (BEC)?

Once they have successfully deceived an employee, BEC scammers will attempt to manipulate them into transfer ring funds to a fraudulent account. They may also try to procure sensitive data that they can use to commit identity theft or sell to another bad actor.

What are the primary methods scammers use to carry out Business Email Compromise (BEC) attacks?

Spoofing and phishing are the primary methods criminals use to breach the security of email and financial accounts.

In spoofing, a cybercriminal impersonates a person or business the recipient trusts by sending an email whose return address is similar to a known contact. The spoofer tricks the target into performing some action that will benefit the spoofer, such as sharing confidential information or transferring money.

For example, an email that looks like it has been sent from the recipient’s credit card company may contain a link to a fraudulent website. When a victim follows the link, they are brought to a website that uses headers and logos that “spoof” the legitimate site. Victims are prompted to enter their login credentials or account number, thus allowing the spoofer to capture that information. As Zach notes: “People are often lulled into a false sense of security by what ‘appears’ familiar. We drop our guard when we think we know what to expect. That’s why spoofing techniques are so effective.”

Phishing is less targeted than spoofing. It casts a wide in hopes of snaring victims. Cybercriminals who phish send out bulk emails containing messages designed to alarm recipients into action. Commonly, phishing messages will include language such as “your account will be [or has been] suspended.” The message will then direct users follow a link to a malicious website where they are asked to supply their login information.

In some phishing attempts, criminals send emails with subject headings such as “Your invoice is attached.” Unsuspecting recipients may be tempted to open an attachment posing as that invoice, which then installs malicious software on their device or network.

Spearphishing is a more targeted type of phishing. Criminals will focus on a particular group or organization rather than sending out bulk emails.

For example, website owners may be the target of a spearphishing campaign that emails fraudulent notices. The sender claims to be working on behalf of a web hosting company. The email will indicate that the target’s website has reached its storage limit and will direct them to a webpage where they may purchase more storage space to prevent their website from being taken down.

“Cyber criminals know people are put on guard when something unexpected shows up,” adds Zach. “That’s why they disguise spearphishing messages with content specifically focused on what their target should be expecting.”

As these examples demonstrate, BEC tactics can range from the simple to the sophisticated. As awareness about these scams has grown, cybercriminals have begun investing more time and resources into researching a company — and its executives — so they can be as convincing as possible in their deceptions.

What are the most common types of Business Email Compromise (BEC) scams?

The five most common types of BEC scams are:

1. CEO/Executive Spoof.
2. Compromised Employee Email.
3. Vendor Infiltration.
4. False Invoice Scheme.
5. Attorney Impersonation.

1) CEO/Executive Spoof

Scammers will impersonate an upper-level company executive by spoofing an email address and/or company domain. The fake email will direct an employee to wire funds to a fraudulent account. Often, the request is “confidential and urgent.” Scammers will research a company to determine who in the organization is empowered to complete this type of request. These attacks are often launched when the spoofed executive is traveling or otherwise out of the office.

Unfortunately, the pandemic presented scammers with new opportunities to deploy this tactic. By compromising an employer or financial officer’s email, criminals were able to initiate virtual meetings and then instruct employees to transfer funds. They could pull this off by posting a still photo of the officer and either muting audio and claiming audio problems on their end or by creating audio using deepfake technology to mimic the officer’s voice.

2) Compromised Employee Email

Either by breaking a weak password or executing a successful spearfishing attack, a scammer can steal the password to an employee's work email account. Once in control of the account, the scammer will pose as the employee and email another employee asking for help with a transfer of funds.

A variation of this tactic sees scammers taking control of email accounts tied to a business’s Human Resources Department and using this access to request Social Security numbers and other private information from employees. Cybercriminals have also used compromised email accounts to target HR Departments and steal employee pay.

In 2019, the FBI reported an increase in the number of complaints concerning payroll diversion schemes. Criminals will use phishing emails to steal employee login credentials. With this information, they can send HR a request to change direct deposit information and route an employee’s pay into a fraudulent account or prepaid card. The scam includes changing system settings so that the employee is not notified of the changes made to their account.

Further, the IRS warns employers that W-2 information is highly valued by cybercriminals. HR personnel should be very cautious with this information as it is often the target of phishing campaigns.

3) Vendor Infiltration

If your business regularly communicates with suppliers via email and pays invoices using EFTs, scammers may attempt to gain access to your vendor’s email account.. If they do, they can secretly monitor your communications to determine the optimal time to make their move. They will then pose as your vendor and try to funnel payments to go a fraudulent account. Often, vendors will not realize their email has been compromised until after funds have been diverted to fraudulent accounts.

4) False Invoice Scheme

A scammer will gain access to your company’s email accounts to learn how it processes its invoices. The scammer will then impersonate a supplier and issue a fake invoice that directs payments to the scammer's account. Suppliers are often unaware that someone is spoofing their invoices, and the fraud may not be discovered until an audit reveals a discrepancy between purchase orders and invoices.

5) Attorney Impersonation

Cybercriminals my also pose as a company’s attorney and request payments or confidential information. The victims of these attacks are generally employees who are not personally familiar with a company's legal team but have responsibilities and privileges that allow them to meet the criminal's requests.

How you can recognize suspect emails

BEC attacks depend on successfully deceiving email recipients. Web domains are inexpensive and, without much difficulty, scammers can spoof a company’s website using a nearly identical domain name or replicating an email address using Gmail or another legitimate email service.

But, as Zach observes, “good cybersecurity awareness isn’t a matter of becoming an expert in technology,” says Zach. “It’s about developing a healthy level of skepticism and a habit of watching for specific little things that are just a little out of the ordinary.”

Consequently, taking a “no trust” approach to communications that ask for sensitive information or a transfer of funds is the first step to blocking an attack and data theft.

With that in mind, Zach advises that businesses and their employees look out for these red flags:

• Slightly “off” URLs or email addresses. For example, smithj@business.com vs. smithj@businesses.com.
• Requests from business associates that come from private email accounts.
• Subject lines that claim urgency.
• Requests for fund transfers into an unfamiliar or non-standard account.
• Unusual requests such as the CEO asking for employee Social Security numbers.
• Misspellings or awkward grammar.
• Unusual forms of address. For example, the person you know as Jim signs his email as James.

What NOT to do when you receive a suspect email

• Do not open any attachments.
• Do not use the reply function to respond to a suspect email. Instead, forward the email with your questions to the purported sender using the email address you have for that person. Depending on your email client, replying to a spoofed address may automatically add it to your contact list. This becomes a problem if you send subsequent emails using the autofill function. When sending an email, always verify you are sending it to the correct address and delete incorrect addresses from your contact list.

What to do when you receive a suspect email

• Alert your company’s IT security department about the email and explain your concerns.
• Verify with the sender using an alternate communication method. If the email is from a compromised account, you will need to phone, text, or chat with the sender to confirm that the email is legitimate.

What to do if your business email has been compromised

Rule #1: be prepared. “It’s important to have a plan and procedures in place ahead of time for when, not if, you have a cybersecurity incident,” Zach explains.

As long as you follow rule #1, you should find it easier to follow rule #2 — act quickly. Money transferred into a criminal's account is often converted into cryptocurrency, making it much harder to trace.

If a BEC scammer has gained access to your business’s funds or sensitive data, follow these steps:

• Contact your bank and ask them to contact the financial institution where your funds were sent.
• Contact any vendors whose accounts may be involved in the scam.
• Inform your local FBI office of the attack.
• File a report with the FBI’s Internet Crime Complaint Center.
• Contact your insurance agent.

Proactive measures you can take to reduce your risk of Business Email Compromise (BEC)

• Require that employees attend BEC awareness training.
• Develop policies for handling email so that employees will recognize and know how to handle suspect emails.
• Create procedures for reporting suspicious emails.
• Require strong email passwords and regular password changes.
• Establish policies that require approval from multiple people when handling sensitive information or large financial transactions. Require confirmation using non-email systems for these transactions.
• Require multi-factor authentication for any account changes;
• Implement an email domain and sender authentication system to protect your company’s domain from spoofing.
• Check with your insurance provider to determine if your policy covers losses from BEC attacks.

At Guaranty Bank & Trust, security and privacy protection are top priorities. Please visit our security center to learn more about how you can protect your business from BEC and other cyberattacks.

Back to Security Center