Scam Central: Keeping Cyberattackers Out of Your Inbox
This informative article – courtesy of Anthony Dolce, The Hartford’s Head of Professional Liability and Cyber – contains great tips and tools for protecting your business against email scams. Take a look, and if you have any questions, don’t hesitate to reach out!
According to the FBI’s Internet Crime Report, business email compromise (BEC) is one of the most financially damaging online crimes. In 2022, there were nearly 22,000 related complaints, and businesses lost more than $2.7 billion to these scams. BEC is a scam that targets businesses rather than individuals — although there are similar types of consumer-focused scams called email account compromises.
While BEC always involves taking over or imitating a business email account, the scheme can play out in several ways. For example, the scammer might take over or imitate an email from an executive. They might then reach out to an employee on the finance team with an urgent request for a money transfer and have funds sent directly to the scammer’s account. Or the fake executive might ask an employee to buy and send them gift cards, which they can quickly cash out or resell.
In some BEC schemes, the criminals attack from a different angle. For example, rather than targeting a business directly, they could compromise a vendor’s email account and monitor the email account activity. After the vendor sends a legitimate invoice, the scammer quickly follows up as the vendor, apologizes for a mistake in the payment information and asks for the payment to be sent to a different account.
BEC is not always about the money transfers though. Some BEC attackers might be after employees’ personal information or data about the company, which they can then sell on the dark web or use as the basis for a different attack in the future.
What could happen if a business is targeted?
Unlike the scam emails that get sent to thousands of people at a time, the criminals running BEC schemes often conduct well-researched and coordinated attacks. For instance, the scammer might spend days learning about the company and monitoring its social media activity. They might even wait until the business is at a conference before springing into action and can use the trip as the basis for an urgent request. They might pose as the business owner for example and send an email with an urgent wire transfer request because a merger or acquisition was just made and there’s a need for the money right away. If an employee responds, the business might be out tens of thousands of dollars.
Scammers are also quick to test new methods just as successful businesses pivot to address changing circumstances. In February 2022, the FBI warned about the rise of BEC schemes involving virtual meeting platforms during the previous three years. The scammers send a meeting request as the CEO or CFO of a company, use deep fake audio to replicate the executive’s voice, and then request a funds transfer during the meeting or in a follow-up email.
How does phishing play a role?
In most instances of BEC, as well as other cyberattacks, phishing plays a part in the fraud. However, even when phishing is not the leading cause of an attack, it’s often used by cybercriminals in preparation for the actual attack. To protect against phishing, BEC and other cyber threats, businesses should be cyber risk aware. Training employees and implementing email security protocols can help prevent these types of attacks and reduce losses.