Business email compromise: How to protect yourself
by Jazmine West
With great risk comes great reward, but in the Internet space, the opposite may be equally as true.
As businesses continue – and even hurry – to build their empires online, the exchange of goods, services, and capital will only become more available. But is that a good thing? Well, yes… and no.
Unfortunately, email spam and scams will continue to evolve along with the Internet. We’ve all heard about the age-old Nigerian Prince Scam that we typically warn our sweet grandmothers about, but what about more stealthy and financially significant scams?
According to the FBI, business email compromise (BEC) is when a criminal tricks an email recipient into sending sensitive (typically financial) data by posing as a familiar or expected person or company. Of course, the request is fraudulent so the victim’s response goes to the criminal instead of the intended person.
For example, a criminal may spoof an email address and say that an invoice payment did not go through and ask the recipient to resubmit. The email recipient sees the name of the client listed in the email header, and, not thinking to dig further, submits the payment, which goes to the scammer’s account.
At first, this may sound relatively obvious to spot, but professional criminals are good at what they do and take on various tactics to achieve their goal. It is important to be aware of the various ways they can trick you into giving sensitive information about yourself or your company.
Types of BEC attacks
- Bogus Invoice Scheme: A criminal sends a fake, “bogus” invoice under the guise of an established vendor or client to the victim for receipt of funds into a fraudulent account.
- Attorney Impersonation: This attack leverages the high-status of lawyers and client-confidentiality by requesting sensitive information from lower-level employees, who are too insecure to question or challenge the request. The criminal often uses status and a short deadline as tools to pressure the victim into giving out the information requested.
- CEO Fraud: Similar to the previous tactic, a scammer impersonates a CEO to get another employee to purchase or transfer funds, buy gifts, etc.
- Account Compromise: A criminal directly hacks into an employee or executive’s account to request payments from vendors. The received payments are then sent to the criminal’s account.
- Data Theft: Perhaps the most insidious of all the schemes, a hacker gains control of an HR employee or executive’s account to request personal information from other employees, clients, or in the case of health care, patients.
Data theft is the perhaps most dangerous attack for health care settings, as protected health information (PHI) can be exposed or threatened.
These attacks most commonly happen over email, but they can also happen over the phone.
How prevalent are BEC scams?
BEC scams are one of the most widespread and effective email phishing scams today. Like most scams, their success relies on ignorance of the tactics and resources used to steal data.
The FBI issued a warning earlier this year that Microsoft 365 and Google Workspace users are particularly vulnerable to business email compromise scams. Users of these services are typically enterprise customers, which multiplies the impact of the threat since they likely deal with large accounts with lots of money.
The FBI states: “Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and [Google Workspace].”
Also, according to the FBI 2019 Internet Crime Report, over $1.7 billion in losses were from BEC scams in 2019.
Highlighted below are some valid ways to reduce your chances of an attack.
How to avoid BEC attacks
There are a few general recommendations from the FBI and other sources to decrease the likelihood of a scam or attack:
- Utilize two-factor authentication on accounts that contain sensitive information
- Configure your mail server to block invalid domains from reaching your inbox
- Always verify unusual email requests from colleagues in-person or over the phone if possible
- Never click or download unsolicited links or attachments
The danger with email
Email continues to be a risky, but necessary means of doing business. With even more businesses coming online, the popular communication medium is here to stay.
In the health care setting, the risk is even greater than losing financial capital, because stolen PHI can result in hefty fines for a HIPAA violation, and even jail time.
Email is the most common threat vector for cyberattacks. Therefore, ensuring your email is encrypted is the first step to avoiding these threats.
The best way to secure your email
At the Premium level, our data loss prevention (DLP) feature blocks unauthorized users from sending sensitive information or PHI either maliciously or because someone fell for a BEC scam.