Cybercrime continues to grow in scope and cost, according to a new report from the Federal Bureau of Investigation. In March 2022, the FBI’s Internet Crime Complaint Center (also known as IC3) released its 2021 Internet Crime Report, which revealed a 7% increase in internet crime from 2020. During the same time frame, the FBI found that potential losses increased 64% to a total of $6.9 billion.
While some types of internet crime have fallen in recent years, business email compromise (BEC) scams increased in both the number of victims impacted and the total victim loss. In fact, BEC scams caused $2.4 billion in potential losses in 2021 alone.
Fortunately, businesses can take measures to prevent BEC scams. To help you avoid falling victim to them, we’ve put together this primer on BEC attacks, how you can prevent them, and what to do if your company has been successfully targeted.
Business email compromise scams are a specific type of crime that relies on social engineering – tricking a target into believing and acting a certain way. In BEC scams, a fraudster attempts to defraud a business by posing as someone a target trusts, such as a company executive.
The FBI has historically identified five main types of BEC scams, but all the types typically rely on a fraudster gaining access to legitimate business email accounts. These scams also sometimes use email addresses that are made to look like legitimate accounts in a process called “spoofing.” But no matter how a fraudster carries out these attacks, the scams almost always rely on a sense of urgency and appeals to authority.
For example, a cyberattacker involved in a BEC scam may compromise a company official’s email account and then send an urgent email to the accounting department late on a Friday afternoon. The email may insist that the business’s accountant immediately wire funds to a third-party business partner to complete an ongoing project on time. Of course, the supplied account is actually controlled by the fraudsters, but the unsuspecting employee may believe this is a legitimate request and transfer the money.
In a new twist, the IC3 said it has observed fraudsters taking advantage of potentially lax remote cybersecurity arrangements to also carry out BEC scams via online meeting platforms. In this variation of the attack, a fraudster would compromise a business leader’s online meeting credentials before inviting a targeted employee to a video meeting. In the meeting, the fraudster would claim to be having audio and visual connection issues before issuing wire-transfer instructions. Indeed, BEC scams were part of a rise in business scams during the COVID-19 pandemic, when more people started working from home. [Related article: Cybersecurity Tips for Working From Home]
Business email compromise scams can be difficult to defend against, as they largely rely on exploiting human psychology rather than technical vulnerabilities. This means that many technological methods of securing computers and other devices or systems from hackers don’t work against BEC scams. [Related article: Is Your Antivirus Software Really Protecting Your Business?]
Even so, being targeted by BEC scams is not inevitable. Some best practices to improve cybersecurity in general can also prevent BEC scams. Even some quick cybersecurity tips that take less than an hour to implement can make a difference.
For BEC scams in particular, these defensive actions can better protect your business:
Technological controls like firewalls and antivirus software cannot defend against BEC scams. However, you can limit the potential damage of these attacks by training employees on the red flags and fostering a culture of open communication with management.
If you believe you’ve been the victim of a BEC scam, especially if a money transfer was initiated, it’s important to act immediately. The FBI recommends contacting your business’s financial institution so it can tell the receiving bank to freeze the funds. You should also ask your financial institution to attempt to recall the money.
The FBI also suggests immediately contacting your local FBI field office to file a complaint with the IC3. The IC3 Recovery Asset Team (RAT) specializes in freezing victim funds that were transferred under fraudulent pretenses. To date, the RAT has a success rate of 74%.
Within your company, you’ll want to assess how many email accounts the attacker targeted and see if they managed to compromise any other systems. You should alert employees to the breach – not to create panic but to reinforce your business’s cybersecurity protocols.
Develop a concrete protocol for how you’ll mitigate the damage of a data breachin your company, and include your strategy for when an employee falls prey to a financial scam. This could even be part of a comprehensive disaster preparedness plan for your business, addressing everything from data loss to hurricanes.
The data from the FBI report makes it clear: Business email scams are increasing. Of course, that doesn’t mean your company is guaranteed to be attacked. But as technology evolves, it’s possible that such internet crimes will become more sophisticated and convincing, making it easier for businesses to fall prey. Still, with the proper procedures in place, businesses can at least get a head start on any attacker trying to defraud them.
In the event of a successful attack on your business, you can mitigate the consequences if you already have a response plan. Read our complete small business guide to cybersecurity for more guidance on preventing and responding to cyberattacks.