Risk Management · December 13, 2023

How to Prevent Business Email Compromise

Bad actors are using increasingly sophisticated tactics to deceive employees into diverting money or exposing sensitive information—with thousands of organizations falling victim to these email scams every year. Here are steps you may take to help protect your organization.

Selecting a link or replying to the wrong email may be an expensive mistake, and plenty of commercial businesses are vulnerable. In fact, the FBI's Internet Crime Complaint Center received more than 21,000 complaints of business email compromise, or BEC, in 2022 alone.


How is my commercial business affected by scams?

For industrial companies, an email compromise could affect everything regarding operations through the supply chain.

To stem this tidal wave of BEC attacks and safeguard their assets, companies should redouble their business email compromise prevention efforts. This may include educating employees about the numerous types of email scams, enhancing cybersecurity protections and implementing protocols that reduce opportunities for a scammer to fool someone.

As with any type of fraud, understanding the scam is the first step toward successfully preventing it.

What is business email compromise?

Business email compromise is an email-based scam where cybercriminals use several possible methods—including impersonation, account takeover and social engineering—to steal money or extract sensitive information from organizations.

The FBI considers BEC attacks to be one of the most financially damaging online crimes, referring to it as the $50 billion scam because roughly this amount was reported stolen from businesses worldwide between 2013 and 2022. And as technology continues to evolve, new and more sophisticated schemes continue to proliferate, making it increasingly difficult—but far from impossible—to head them off.

Examples of business email compromise

The essential premise of a BEC scheme is impersonation—the sender uses technology to impersonate a known contact to gain the recipient's trust. Some scammers do research to be more convincing. Invariably, this sender has a request that involves money or sensitive information, making business email compromise one of the more common avenues for ACH fraud.

Business email compromise scams are constantly evolving. According to the FBI, some of the more common examples include the following.

  • Vendor impersonation: Someone impersonates a trusted vendor and sends an invoice, replacing the vendor's remittance information with theirs in order to intercept payment.
  • Gift card schemes: An employee of your organization receives an urgent message from someone posing as the CEO, asking them to purchase gift cards and send the card numbers via email.
  • Wire fraud: Someone in the process of buying a home receives an email that appears to come from their lender, with new instructions on how and where to wire the down payment.

How BEC attacks work

While the tactics vary from scheme to scheme, all business email compromise scams have the same basic goal—to convince the recipient to divert money or sensitive information toward the scammer.

Look-alike email addresses

One common approach is to create a look-alike email address that is remarkably similar to an email address the recipient would typically trust. For example, if your CEO's email address is MsCeo@companynameinc.com, the would-be scammer might send an email from MsCeo@companynaneinc.com. During a busy workday, the subtle difference between the two email addresses may be easy to miss.

Email account takeover

In other instances, a criminal might gain access to an employee's login credentials and use their account for fraudulent purposes. For example, they might take over the email of an accounts receivable manager and use it to send out fake invoices to vendors, asking for payments to be sent to a bank account controlled by the scammer.

Often, criminals obtain these email usernames and passwords using common phishing tactics, such as enticing a recipient to click on a link to enter credentials. Scammers may also purchase login information on the dark web or use an algorithm to guess thousands of passwords until it lands on the correct one—underscoring the importance of adhering to best practices for password management.

Infographic with tips on protecting your accounts with stronger passwords
  • An eight-character password consisting of only upper and lowercase letters can be cracked in just 2 seconds.1
  • Dictionary words, number sequences and personal information may make passwords easier to crack.
  • More than 50% of people reuse passwords,2 and weak, reused, or stolen passwords are the cause of 81% of confirmed breaches.3
  • The longer and more complicated your passwords are, the stronger they'll be.

Here's an example:

  • Weak: RockyCat
  • Better: R0ckyCaT2
  • Best: b3stC@tR0C|<Y!

Tips:

  • Make your password easy for you to remember but hard for anyone else to guess.
  • Avoid using actual words or popular phrases.
  • Create a unique password for every account.
  • Enable multifactor authentication.
  • Change your password every 3 months.

Source:

1 Hive Systems 2023 password table
2 Google/Harris Poll Online Security Survey
3 LastPass The Password Exposé

Business email compromise prevention

While these deceptive strategies are becoming increasingly complex, BEC attacks may be thwarted through a commitment to staying abreast of the latest scams and an investment in ongoing fraud and cybersecurity awareness training.

Business email compromise training

When it comes to preventing business email compromise, your employees are typically your first line of defense. Take the time to educate your employees on the threat of BEC, teaching them about the characteristics that often give away an email's bad intent. The following checklist may help employees identify suspicious emails.

  • Are there misspelled words or poor grammar?
  • Does the greeting sound unusual for the sender?
  • Are there any irregularities in the email address?
  • Does the email create a sense of urgency?
  • Is there a request to send money or purchase gift cards?
  • Are you being asked to share financial facts, login details or other sensitive information?
  • Does the email request a change in normal procedure, such as payment to a new account or address?

A major component of business email compromise training involves coaching employees on how to double-check financial requests—for example, ensuring that invoice addresses are correct, amounts are cross-referenced and the recipient is who they claim to be.

When an email involves a financial transaction or request to share sensitive information, it's essential that it be verified. Encourage employees to confirm the legitimacy of the request by contacting the sender using previously known contact information. It's also wise to institute a policy that puts two pairs of eyes on every financial transaction to verify details.

Implement strong cybersecurity practices

To help prevent BEC attacks, every person on staff must make it their business to keep the company safe. This includes using passwords that are strong and unique, setting up multifactor authentication, or MFA, and not using personal email accounts, which may make it all too easy for a fraudster to spoof an email address.

As part of your company's risk management efforts, you may also consider evaluating the benefits of cybersecurity insurance. Given how widespread cyberattacks have become, cybersecurity insurance may be a sound investment for many organizations—particularly those that store customer data, intellectual property or sensitive information.

A well-built cybersecurity program isn't something that begins and ends in the IT department. Instead, strong cybersecurity requires a set of protocols that permeate the entire organization.

In the years to come, business email compromise will almost certainly continue to be a threat to companies around the globe. But with the right training and internal procedures, organizations may greatly reduce the likelihood of BEC attacks—while also protecting themselves from other cybersecurity events, including costly data breaches.

No matter how complex these schemes become, the best means of beating them remains the same—encouraging your staff to stay vigilant.

Key takeaways

  • The essential premise of business email compromise, or BEC, is impersonation, with the sender hoping to deceive the recipient into diverting money or sensitive information.
  • When it comes to prevention, your employees are typically your first line of defense. Train them to recognize common signs of scam emails.
  • Encourage employees to verify all requests for money or sensitive information via previously known contact information—consider requiring two pairs of eyes to confirm the details of every financial transaction.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.

This material is for informational purposes only and is not intended to be an offer, specific investment strategy, recommendation or solicitation to purchase or sell any security or insurance product, and should not be construed as legal, tax or accounting advice. Please consult with your legal or tax advisor regarding the particular facts and circumstances of your situation prior to making any financial decision. While we believe that the information presented is from reliable sources, we do not represent, warrant or guarantee that it is accurate or complete.

Third parties mentioned are not affiliated with First-Citizens Bank & Trust Company.

First Citizens Bank is a Member FDIC and an Equal Housing Lender icon: sys-ehl.

NMLSR ID 503941