Scammers often manipulate people’s natural tendencies to achieve their goals through a technique called social engineering. In BEC, scammers research a company to familiarize themselves with the hierarchy, terminology, and schedules of its employees. The scammers can then hack or spoof a CEO or other executive’s email and request a wire transfer payment from a lower-level employee. Lower-level employees tend to obey these emails, without thinking, out of respect for authority or instinctive trust. In contrast to the mass email attacks of phishing, this targeting of specific individuals or small groups of people is called spear phishing.
Variations on this same formula exist, but they all fall under the broad category of business email compromise. BEC targets can be small businesses, county governments, or large tech companies like Facebook and Google, which lost over $100 million to BEC in 2017. Scammers may attack high-level executives, members of the finance department, or members of the HR department in a company. They may be looking for large wire transfers, bank account information, employee tax documents, or other confidential information. Malware to gain access to employees’ accounts may be involved. Ultimately, the end result is the same: a catastrophic loss to the company.
Unfortunately, the consequences of business email compromise crimes stretch beyond a massive loss of money. If the perpetrator isn’t caught, the CEO and other employees may be fired, and the company may go bankrupt. It’s in everyone’s best interest to work as hard as they can to prevent BEC from occurring at all.
There are two ways we can approach BEC prevention: the technology side and the human side. From the technology side, companies can improve the security of their email gateways, whether through email filters or multi-factor authentication. From the human side, companies can train employees, especially those in finance and HR, to be aware of BEC and recognize suspicious emails. The emails tend to have a tone of urgency, and names and extensions in the email addresses may be slightly misspelled. Employees can learn to pay attention to these details and quickly spot fraudulent attempts. Companies can also introduce policy stating that wire transfers may only occur with both email and phone call confirmations to ensure the validity of the request.
Email is an invaluable tool in the modern-day, fast-paced workplace. But all technology comes with its risks, and frauds like BEC are among them. With the right security and training measures in place, companies can avoid losing serious amounts of money and resources to global scammers.