What is Business Email Compromise, and How Can I Prevent It?
Updated: Mar 23
In this article, we will discuss the following:
Where to go to report email fraud
Business email compromise (BEC) has become one of the most popular and dangerous sources of online scams. According to the FBI and the Internet Crime Complaint Center, these sophisticated email crimes increased by 65% globally from July 2019 to December 2021, exceeding an unbelievable $43 billion us dollars in attempted and actual losses. With BEC crimes being reported in all 50 states and targeting small businesses and large corporations alike, it is no longer a one-dimensional threat but a widespread form of payment fraud. The FBI further reports a staggering 847,376 complaints of internet crimes in the United States for 2021, totaling a little more than $6.9 billion. Of these complaints, 19,954 were BEC-related, for an adjusted loss of $2.4 billion.
What is Business Email Compromise?
Business Email Compromise (BEC) is an email phishing attack that targets individuals and attempts to trick them into performing a particular action or giving up sensitive information. For example, a scammer will write an email pretending to be a fellow employee or authority figure within the victim's organization and instruct them to respond with the desired information, such as passwords, two-factor authentication codes, or bank account details. These bogus requests can be hard to spot if you are not paying attention. In most cases, BEC attacks are carried out using plain text and therefore fly under the radar of email security measures. In other cases, cybercriminals will send emails containing suspicious attachments or unsafe links that compromise the user's account when clicked upon. However, cybercriminals are getting smarter and more patient with their approach. By utilizing a method the FBI refers to as grooming, BEC scammers will wait a few days or weeks and manipulate their way into company calendars, transaction history, and much more to learn how and when to make their move.
What is Vendor Email Compromise?
Unlike traditional BEC attacks, where scammers impersonate individuals from inside the victim’s organization, Vendor Email Compromise (VEC) attacks see scammers impersonating outside sources, such as a trusted vendor or trade partner. VEC attacks are much more sophisticated and extremely difficult to detect.
Here is an example of some of the steps in a VEC attack:
Research - VEC attackers will conduct preliminary research on an organization to learn more about its inner workings, such as employee hierarchy, workflow patterns, trusted vendors, etc.
Access - Scammers will attempt to access the victim organization's email account using information gathered during the research phase. Usually, access is obtained using traditional BEC tactics and trying to trick an employee into giving up credentials or clicking on a malicious link or attachment through an email phishing attack.
Surveillance- Once access to the victim organization's email account is obtained, the scammers will monitor communications for some time to learn more about supply chain patterns, trade partners, payments, and invoices.
Attack - Using the victim organization's email account and information gathered during the surveillance phase, scammers will launch attacks targeting anyone in the supply chain, including vendors/suppliers and, in some cases, the customer base.
VEC attacks can take a few months before the scammer makes their move and are extremely difficult to detect. However, since the requests come from a trusted vendor or trade partner, the fraud can go undetected for long periods.
Where to go to report email fraud?
There are a few websites that are helpful when needing to report email fraud. First, the FBI website shows a detailed breakdown of how a BEC scheme plays out and how to report it.
Visit www.fbi.gov or click this link to save yourself the trouble of navigating the FBI’s website. Another good resource for reporting various scams and fraud is www.usa.gov. Lastly, the Federal Trade Commission has a user-friendly website with a step-by-step guide for reporting scams and fraud.
Internet crimes come in several shapes and sizes and are only a few clicks away from infiltrating a business's inner circle. These bad actors have become increasingly efficient since the pandemic due to many employees working remotely and businesses relying on email more than ever. However, let’s not be so naive to think remote work is to blame and dismiss BEC if your company does not have remote employees. BEC is a scam that uses email, and businesses have relied on email since its mainstream adoption in the 1980s and 1990s. Since remote work is here to stay and, unfortunately, for the foreseeable future, so is email communication, let’s talk about best practices and how to avoid it.
Tips on how to stay safe
Did you click on any of the links in the previous section? Whether you did or not, this is the perfect time to discuss clicking on links from outside sources. The best practice with clickable links is to not click on them, just don’t do it. Especially if you have doubts about the origin or where the link will take you. The problem is people love clicking on links. Let’s pretend you receive an email with a link you have to click on, maybe that's just your company's process, and you do it all the time. No big deal, right? Get in the habit of checking the email sender's name every time before you reply or click on anything inside the email. Checking the sender's name is a quick and effortless way to ensure you are not introducing fraud into your personal or professional environment.
For example, let’s say you receive an email from someone you communicate with regularly in your company. Before you reply or click on anything, take a quick look and ensure the email address has no extra characters. If the person in your company was Janedoe@compay.com, the bad actor may attempt to infiltrate your business from a sender name like Janedoe@companyceo.com, but all you see in your inbox is the name Jane Doe. Always click the drop-down by the sender name and check the full email address before responding or clicking. When in doubt, throw it out, or in this case, report it to the FBI.
VEC attacks are a little trickier to detect. In VEC attacks, the scammer will have compromised a vendor's account, so the sender and domain name can be legitimate. In addition, they may have some pretty convincing documentation attached since they have monitored communications for some time. In this case, look for unusual behavior and language, like a sense of urgency to change account details and choppy grammar. For example, if a trusted vendor requests a change to bank account details for a scheduled payment but insists it happens "right away" or "immediately" and sounds frantic in their request, it may be time to pick up the phone and call them to confirm.
Below is an example of the drop-down in Gmail.
How can I prevent BEC and VEC attacks?
Double check - Always check the sender names when emailing to protect yourself and your business. It takes very little time or effort and can save you a lot of frustration and possibly your career.
Internet dive - Google is my best friend; I often Google something instead of clicking on someone else's link. Google the business name you are being requested to send info to, or even use social media to look up the contact. It may be a red flag if you can't find what you are looking for.
Ask for help - When you have a gut feeling or are slightly suspicious of something, don’t hesitate to ask someone to help take a look. For example, if time is of the utmost importance and someone requests funds or sensitive information minutes before a deadline, take a second to review with a colleague. You should never be ashamed of protecting yourself and your company.
Technology - Technology is also an elegant solution to email scams. You can always ask your IT department what extra protection they can implement to help you stay ahead of the curve.
A quick phone call - Dial the person or company you are communicating with to confirm the details. A brief phone conversation could save you from a scammy situation and is a great way to nurture your relationship with vendors and partners.
At Speedchain, we provide our members with an encrypted chat feature to reduce business email compromise opportunities. This way, our members can remove email from the equation and reduce the chances for fraud to exist in their process. If you do not have an IT department and have limited options or resources to provide protection, the best defense will be you. Check the sender name and domain, take a moment to review the email a 2nd time, pick up the phone and call someone to confirm, and even use Google to do a little deep dive on something if you have to. No one is going to die if you double-check.
For more information on how Speedchain's spend management platform helps keeps businesses safe from payment fraud, contact a Speedster today!