Business email compromises have risen by 100% – here’s how to protect your business

Topic: Business email compromises have risen by 100% – here’s how to protect your business

According to the Federal Bureau of Investigation, business email compromises, or BECs, have cost companies more than $26 billion from 2016 through 2019 alone. Additionally, over the past few years, the number of reported business email attacks has skyrocketed, totaling more than 160,000 — excluding many attacks that still go unreported.

While anyone can be a target of a BEC attack, some industries are more vulnerable than others.

“Any business that’s moving funds around, regularly transferring money or conducting financial transactions online, those are the biggest targets,” said Eric Hobbs, CEO of Technology Associates, a full-service technology consulting firm based in Cary. “You’ll also see broader-based firms experience something like a CEO impersonation, where they email the office administration asking for something like gift cards to be sent to a certain address.”

While many businesses are getting smarter about business email compromises, the scam continues to grow. From 2018 through 2019, the FBI found there was a 100 percent increase in identified global exposed losses. Part of that increase stems from greater awareness around the issue, which tends to cause more reporting, but that number still doesn’t represent the full scope of BECs.

For those on the lookout for potential attacks, there are five types of email compromise attempts to be aware of:

  • False invoices, which request wire funds to incorrect accounts
  • CEO fraud, which happens when credentials are stolen then used to request money or items
  • Account comprise, which is similar to CEO fraud but on an employee level
  • Attorney impersonation, in which hackers pretend to represent legal counsel and request wire transfers
  • Data theft, when fraudulent emails request sensitive documents like W-2s or personally identifiable information

Hackers use a variety of techniques to target victims, whether it be spoofing by using an email address that looks legitimate or similar to the victim’s, secretly installing malware, or using psychological manipulation to convince victims to share sensitive information. Additionally, if individuals use the same password for multiple platforms, it opens up the possibility for multiple breaches.

“Say I register my LinkedIn account using my work email and password. LinkedIn gets hacked, and now the hackers have my login information,” Hobbs said. “Now, it’s easy for them to backtrack and see what email system I’m using to log into my email and formulate an attack plan.”

“I had an acquaintance of mine in real estate who was a victim of such an attack. Within a two-week period of time, they had two customers tricked into diverting funds for a real estate transaction into a hacker’s bank account.” Hobbs continued. “The hackers were sitting there watching, waiting for an email requesting the transfer, then right at the last minute, they’d send an email back to the purchaser and say, ‘Oh by the way, we’ve got new bank account routing information. Here it is.’”

Topic Discussed: Business email compromises have risen by 100% – here’s how to protect your business