Cyber attacks and phishing schemes like business email compromises (BECs) are becoming more common than ever. These happen when a cybercriminal attempts to impersonate an executive or someone within a company to get access to data and money. Though these may sound simple enough to avoid and recognize, business compromise attacks are increasing. Not only that, but they are becoming more sophisticated and difficult to detect with each passing year.
Therefore, learning how to identify a business email compromise scam – and having adequate cybersecurity protocols in place – are so important in this day and age. To know what to watch out for, read on.
The Fundamentals of Business Compromise Attacks
What is a Phishing Email Scam/Business Email Compromise?
A business email compromise is exactly what it sounds like: the breach of a company email address through cyber attack methods like phishing scams. According to the FBI, a BEC is a means of exploiting our heavy reliance on digital communications and prime targets include all coworkers and lower-level employees, executives, any vendors you regularly interact with, and otherwise. Hackers may pretend to be someone else to access sensitive information, account details, and other data. In other instances, they may be seeking to get into your own individual email address.
Why are Phishing Email Scams a Risk?
In some cases, phishing email scams are very poorly done, often by individuals in faraway countries attempting to impersonate an individual you regularly have contact with. At other times, they may be trying to pass themselves off as an official organization, governing body, compliance regulator, your bank or otherwise. However, business email compromises – also referred to as email account compromises (EACs) are becoming increasingly successful as many scammers are getting smarter. They’re doing their homework, and even the fine print of a phishing email can 100-percent match the real deal. Perfect imitations are increasingly commonplace, which means that there’s an ever-higher risk of falling for them no matter how vigilant you may be.
There are three common types of email phishing scams, according to the Government of Canada. These include the ages-old “freebie” or “you’re a winner” email, spear phishing scams that aren’t mass-produced, and especially those pretending to be from the government or local authorities as fear is one of the strongest weapons in a hacker’s arsenal. Falling for any of these or the other examples mentioned can easily lead to a BEC/EAC.
How to Stop Scam Emails
Last year, Forbes brought up the fact that over 320 billion spam emails – not regular emails – are sent every single day. This therefore accounts for a whopping 94% or so of the world’s malware. Fortunately, there are several ways to put a stop to these digital pests, enabling you to better safeguard your business, clients, employees, and internal data – not to mention your funds.
What are some of these methods? For starters, don’t simply give out your email address willy-nilly. That right there is akin to opening the blinds at night, flicking on the lights, and allowing everyone to see inside. For emails on a “contact us” page on your company’s website, they should go to a dedicated support or contact email address rather than those of specific employees. Consider using throwaway email accounts such as these, otherwise known as “burners,” to form a line of digital defence.
In addition, dedicated spam filtering software, network monitoring and cyber security services, and training employees on red flags to look out for can save you a lot of stress in the long run. Lastly and most importantly, never open a link or respond to an email that looks suspicious. Keep an eye out for improper capitalization, low-quality writing, grammatical issues, typos, and blurry logos that appear to be pasted in. Such emails should normally undergo an editing phase before sending, especially when it comes to government organizations, local authorities, and corporate senders.
How to Report Scam Emails
The first step is to mark the email and report it as a phishing scam in the email client you use. In Gmail, for instance, this can be done by selecting the email and clicking the “report spam” button (at the moment, its design mimics that of a stop sign with an exclamation point in the middle). Further steps include reporting a scam or fraud to your local government (in Ontario, for instance, it can be done on this scam reporting page). Individuals in the United States should visit this official government page for a complete list of scam reporting options, as the suggested approaches will be different depending on the circumstances.
How to Determine Whether You’ve Received a Phishing Email
Did You Receive an Email Urgently Requesting Funds?
Many BEC scams tend to have common subject headings, and one of the most frequently used ones is an Urgent Request for Funds Transfer. This may appear as though an executive or someone with a senior position in your company is requesting to have an invoice processed. Or they might be ordering an employee to change the recipient’s name on a scheduled payment.
Here are some common examples of what the email subject might look like:
- Wire Transfer Request
- Payment – Important
- Bank Transfer Enquiry
- Urgent Request
- Fund Payment Reminder
What are the Sender’s Details?
Always look at the domain and details of the sender. With a quick glance, it might appear to be the same domain as your company, but it’s important to look carefully. Fraudsters often use a domain that is almost identical but has slight variations of the spelling or tail end of the domain address. For example, firstname.lastname@example.org. At other times, it might simply be a long string of gibberish, which is an immediate indicator of a spam account sending the email.
Sometimes the email will come from a personalized address, either from Hotmail or Gmail. So keep an eye out for this as well.
Does the Email Have a Very Brief Message?
When it comes to phishing scams, the emails are usually very brief and right to the point. They will urge you to bypass normal procedures and perform their request right away.
Was the Email Sent from a Mobile Device?
Another common warning sign is if the email appears to have come from a mobile device. This is usually indicated at the bottom of the email. Also, if the sender says they are travelling or in transit, take it as a red flag.
What to Do When Faced with a Business Compromise Attack
Here are some things you should do when faced with a BEC:
- Check and verify directly, in person or over the phone, with any senders making requests to send money
- Carefully look at the email address and details of each sender
- Have your staff thoroughly trained to recognize and deal with BEC threats
If you have been the target of email scams or business compromise attacks, The Smith Investigation Agency can help ensure your business is protected from fraud. Contact us today to learn more.