Business email compromise (BEC) is a growing form of digital attack that could incentivize ransomware scammers to begin incorporating it as one of their cybercrime tactics.
The FBI’s Internet Crime Complaint Center reveals that BECs now produce more stolen money than ransomware, as originally reported in Wired.
What Is A Business Email Compromise?
Business email compromises are typically strategies by criminals looking to victimize businesses. They will target a corporate email account and attempt to impersonate a co-worker, vendor, or business partner with fake invoices or contract payments. A successful BEC will result in the victim wiring money to a criminal while under the impression they are conducting standard business.
The strategy is used to target businesses both large and small. In 2019, a BEC attack ultimately cost Toyota $37 million.
Cyber crimes of all sorts are becoming more common, and small businesses are proving to be vulnerable. There was a 152% increase in data breaches at small businesses globally during 2020 and 2021 compared to the two previous years, according to RiskRecon. While there may be a lower ceiling on potential money stolen from smaller companies, they can potentially be an easier target based on more causal email policies, experts say. Ninety-eight percent of companies in the promotional products industry meet the definition of small businesses.
How BEC Differs From Ransomware:
Rather than relying on technological sophistication, BEC criminals are using social engineering, a skill that aims to manipulate someone through false narratives to act against their self-interest.
Vice President of Information Technology at American Solutions for Business and chair of PPAI’s Technology Committee Mike Pfeiffer uses an analogy to differentiate the two types of cyber criminals. “BEC criminals are largely the con or confidence men of today whereas ransomware criminals are like the bank or train robbers of history.”
“BEC works differently [than Ransomware],” says Paul Elfstrom, PPAI’s director of information technology. “It’s designed to fool people and take advantage of normal daily routines. For example, one of your vendors sends a note to your AP department saying their bank has changed and thy provide new routing information. But maybe your vendor’s email was compromised, and this is someone impersonating them. You can see where this could pose a serious problem.”
How To Protect Yourself:
Some BEC protection might seem like common sense, but if it’s not adopted into policy or reiterated to employees at all levels, companies can find themselves vulnerable.
“Protect your email first,” Elfstrom says. “Strong passwords and two-factor authentication are a must for email accounts. Next, train your employees. They should have some level of security awareness training, especially key individuals that handle financial transactions or have the authority to make financial decisions. And don’t forget about HR. Employee information is just as important to protect.”
Furthermore, stop and take a moment to assess if an email sounds pushy or rushes you to act. Scammers know to exploit the fact that many modern business employees are balancing a lot at any given moment, so they will try to trick them into thinking a payment or task has slipped through the cracks and that they are behind on something. It is always good practice to respond to urgency in a measured way to ensure you are not making a mistake.
“Enforce the mandatory use Multi-Factor Authentication on every email account your company uses and every third-party you choose to conduct business,” Pfeiffer advises. “At American Solutions for Business, we have enforced mandatory MFA for all email accounts for years. We are aggressively working with our vendor partners and customers, strongly urging them to do the same. It is simply the cost of doing business today.”