Cybercriminals steal billions of dollars from small businesses every year, and one of their favorite methods is the business email compromise (BEC), a sophisticated way to divert funds from legitimate business-to-business transfers.

A Common Example of How BEC Works

A prevalent form of BEC starts with an employee’s email account being hacked. Once inside that email account, the cybercriminal has access to your business’s correspondence with your vendors and can identify vendors that invoice you regularly for significant sums of money.

Next, the cybercriminal creates a rule in the hacked email account that diverts emails from one of these vendors into a hidden folder so that it no longer appears in the hacked recipient’s inbox. At the same time, the criminal impersonates the vendor by using an email address that’s very similar to the real vendor’s address, often using a slight misspelling of the vendor’s domain name. Using this spoofed email, the cybercriminal sends an email with new banking information or other payment instructions, asking your business to update its records.

Because the cybercriminal created a rule that hides emails from the real vendor, going forward, you will only see correspondence from the cybercriminal. On the other hand, the cybercriminal has access to the original vendor’s correspondence and sees the invoices that are being sent to you. This information allows the cybercriminal to create fake invoices that look just like the invoices you’d expect and have no reason to suspect.

Once the scheme is in place, it can take months to realize that you’ve been paying fake invoices and sending money to scammers and not to your real vendor. In fact, your first inkling that something is wrong may be the suspension of the vendor’s services or shipment of goods, an irate phone call from the vendor to demand payment on overdue invoices, or worse—receiving a registered letter that threatens legal action for unpaid bills.

A single successful BEC can result in very significant losses. Because cybercriminals tend to target substantial and recurring vendor relationships, it is not uncommon for hundreds of thousands or even millions of dollars to be diverted in such a scam before it is discovered.

Critically, even though the hacked business has been paying on what it believed were real vendor invoices, it is still liable to the original vendor for the same payment. Being a victim of BEC is not a defense against the vendor’s contractual right to be paid for the supply of its goods or services.

How to reduce the chances of a successful BEC

BEC is most often perpetrated on cloud-based email systems, which more and more businesses are adopting because of the convenience it offers in allowing us to log in from anywhere in the world. This is an attractive feature, especially now that so many of us are working remotely. But the fact that cloud-based email can be accessed from anywhere makes it also more vulnerable to hackers, who just need the login credential to access your systems without being anywhere near the physical vicinity of your office.

Hackers often gain login credentials through phishing. Phishing commonly involves impersonating a business the victim knows, trusts, and uses, such as a bank, utility company, email provider, or streaming service. Typically, an email or a text is sent to victims asking them to input their login information, and when they do—the hacker sees it and gains access to the account.

While it can be hard to stop individuals from falling for phishing scams, there are two ways to reduce the risk that a successful phishing attack will lead to a successful BEC:

1. Two-Factor Authentication (2FA). Require anyone who logs into your business email and other online systems to use extra security credentials beyond the login information.
   
   The most common type of 2FA is a one-time verification code the user gets by text, email, or authenticator app. Even though employees may feel that it’s annoying to take this extra step every time they log into their work system, it is one of the best options for not only stopping BECs but also making people aware if their accounts are ever hacked.

2. Voice Verification. Make it a policy for employees to confirm any new payment instructions from a vendor with a phone call to the vendor at a previously known telephone number—not a number included in the email giving you the new instructions.
   
   While this step creates an additional task for your employees, it can protect your business from massive losses due to fraudulent diversion of funds. And, if the phone call shows that the vendor never sent any new instructions, you’ll know that your business’s email may have been hacked.

If you would like to find the least intrusive but most effective ways for protecting your business and your employees against BEC, we can help. Contact Dr. Ronald Menold, COSECURE Director of Cybersecurity Services, to discuss the best options for BEC-proofing your business.

Dr. Ronald Menold, Director of Cybersecurity Services at COSECURE Cybersecurity, brings deep knowledge gathered along his 24-year career as a Supervisory Special Agent with the FBI. Ronald holds a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH) certification from (ISC)2 and EC-Council respectively and multiple SANS/GIAC certifications. Ronald holds a Bachelor's in Computer Engineering and a Doctorate in Computer and Information Security. Contact Dr. Ronald Menold →

COSECURE Cybersecurity , an ancillary business unit of Cozen O'Connor, assesses client technology systems for cyber risks, teach employees how to protect themselves and their companies from hackers, and help our clients respond to cyber security threats, data breaches, and financial fraud. Learn more →