Everything You Need to Know About Business Email Compromise

April 19th, 2021
Everything You Need to Know About Business Email Compromise


In the world of online business, it’s safe to say that hackers never take the day off. These virtual con artists go out of their way to constantly evolve and adapt as they adjust and tweak their tactics to infiltrate even the most secure of businesses.

While a great deal of information regarding cybersecurity highlights concerns about ransomware, Business Email Compromise (BEC) has often flown quietly under the radar, despite causing significant financial losses.

What is Business Email Compromise?

BEC is a term used for a scam where criminals send an email message from a known source, making what seems to be a genuine request.

For example, a financial director could receive an email from the CEO at their firm requesting that the finance department transfer a sum of money over to a vendor for computer equipment. As everything seems to align with the business strategy, the transaction is completed, and the scam is only noticed after it’s too late.

How does the scammer gain access to the information needed? Well, the process may look a bit like this:

  1. The scammer may have started the process by using malicious software, or malware, to infiltrate the company network, thus gaining access to confidential email threads.
  2. The person will then send spear-phishing emails that look like they are from a trusted source, such as a vendor or board member, to trick recipients into revealing confidential information, like bank account details or calendars.
  3. The scammer might also have subtly changed the website or email address to look legitimate by slightly varying the address. For example, john.smith@yourcompany.com may become john.smth@yourcompany.com (simply removing one letter).
  4. The BEC criminal will then use the information gained to craft an email that sounds like it comes from management, with sufficient details to trick the unwilling victim.

As you can see, every business needs to be at the top of its game to ensure it doesn’t fall victim to a scam like this one.

Is Your Business Vulnerable?

The FBI’s Internet Crime Claim Complaint Centre recently reported a surge in internet claims with losses exceeding $4,000,000,000! Senior Director of Threat Research at Agari, Crane Hassold, expressed his disbelief saying, “BEC comprised 37% of all losses last year. That’s an outrageous figure.”

That is how prolific this scam is on a global scale, and it isn’t just international companies falling victim to it. The South African Banking and Risk Information Centre (SABRIC) put out an alert in 2019 and warned local companies to keep their eyes open. In that report, they confirmed that they had witnessed a 67% increase in impersonation attacks. And a large percentage of the victims were employees who had the authorisation to make payments or transfer funds.

How to Protect Your Business

The internet is a wonderful invention, but it can be a dangerous one too. Even with just bare basic skills, personal details are available at the drop of a hat and, it hasn’t taken hackers long to piece the puzzle together.

Here are our top five tips on how to protect your business:

  1. Play your cards close to your chest and be conscious of how openly you share details, including details such as schools you’ve attended, pet names, links to family members and your birthday. This information could arm your scammer with all the necessary data to guess your passwords or answers to security questions.
  2. Take care when clicking on links within emails, no matter how legitimate they seem. If a company or financial institution asks you to verify your details, look up the company phone number and give them a call to check on the legitimacy. Delete these emails without replying or engaging with the scammer in any way.
  3. Make a habit of scrutinising sender information and get to know the email addresses of the people with whom you frequently communicate.
  4. Never open email attachments from unknown senders or within forwarded emails. It’s just not worth the risk.
  5. Use two-factor or multi-factor authentication whenever possible on sites that require logins and passwords, and ensure it is never disabled.

Numata offers a range of month-to-month, pay-per-user cybersecurity services that assist with your business's every need. Get in touch to find out more

Get in touch