How To Avoid Business Email Compromise Fraud

How Does Email Compromise Work? 

A typical Business Email Compromise attack will target one or more employees. Essentially it’s a type of targeted phishing scam with the bad guys pretending to be high-level managers, legal representatives, CEOs, or other C-Suite execs — often someone an employee feels they shouldn’t challenge. 

The most straightforward type of attack is to create an email address that’s similar to the target company’s domain name, or simply hack into the real one. The email then tricks an employee into handing over sensitive data or carrying out a financial transaction — often stating the action is “urgent” and can’t wait. They’re designed to add pressure and exploit our emotions, like fear and trust. 

These scams can be very damaging to both large and small businesses alike. Small to mid-size companies increasingly rey on remote team members and contractors, plus regular but small-time suppliers. Not only is email the main form of communication, but the trust that’s implicit within smaller teams and business networks can often mean people act without question.

A Closer Look at Business Email Compromise Attacks

Just like cybercrime in general, these types of attack are ever-evolving, but the most common forms you might come across are the following:

• Business Executive Scam: as outlined above, scammers pretend to be high-level execs or legal representatives who need a time-sensitive transfer. 

• Supplier Swindle: fake invoices are received via email from what looks like trusted or regular suppliers — except the money will go to the fraudsters account. 

• Account Compromise: a bit like the “Supplier Swindle” in reverse, with an employee’s email being compromised and used to ask for payment from others. 

• Data Theft: often targeting HR teams, this approach is designed to get sensitive data such as employee tax or salary details — used for larger future attacks. 

Now It’s Getting Personal

The above examples may be the most common Business Email Compromise cases, but attacks are increasingly incorporating more sophisticated techniques. Criminals are now doing more extensive research on individuals to create clearer profiles, helping them discover the best way to target people through email.

A typical Business Email Compromise example might now involve the criminals looking at your social media output. Perhaps they spot that you often attend professional networking events, or that you will be attending one soon. That “I’m looking forward to…” post on LinkedIn seemed so harmless, right? 

As soon as they know what you like or where you’re going to be, they can email you a fake invite or updated itinerary loaded with links that could compromise your computer — and your company network. Once they’ve broken into your system, just think of the damage they could do with all those email addresses, financial records, and customer details.   

How to Spot and Stop Attacks

The main thing is to stay alert to the threats that can come via your email, and to train your employees to do the same. Prevention is way better than cure. So it’s essential to be wary of any “urgent” payment transfers, or anyone asking for sensitive data — no matter who they might be. 

If you think you’ve received a fraudulent email but aren’t 100% sure, here’s a quick checklist to help you make the right decisions:

1. Check sender: hover over the sender’s name and check if it’s their legit email address — just because you recognize the name doesn’t mean it’s really them. 

2. Check recipients: take a look at the number of people the email is addressed to — lots of random recipients could mean a phisher trying their luck.

3. Check spelling: scan for obvious typos and errors that wouldn’t normally occur, which can often be a giveaway — especially in official-looking emails.

4. Check links: hover over any hyperlinks to check exactly where they lead before actually clicking them — does the destination look right?

5. Check attachments: don’t simply open, look for suspicious file names or types —  EXE files are common for attacks, as is using ZIP files or RAR archives to hide them.

It’s also very common for these fraudulent emails to come through at the end of the working week. That’s when brains are tired and time is even more sensitive. But a quick DM or phone call to the requester (just to double-check it’s really them) all it takes to verify a request is genuine. 

Remember that you may not be the only one targeted, so always report suspicious activity to the appropriate team member or file a complaint with the IC3. Even if you didn’t fall for the scam, someone else might. So don’t simply send scam emails straight to the Trash folder. 

The Importance of Two-Factor Authentication

One key way of helping to stop the business email scammers in their tracks is through two-factor authentication (2FA). Why is 2FA so important for business email? In a nutshell, because it requires a separate one-time code that confirms your identity while logging in. Often sent via SMS/text, it offers an extra layer of security on top of your username and password. It means your account is far less likely to be hacked and/or then used to scam others. 

Make sure you have 2FA set up for your business. Most good email providers should offer this as standard these days. Namecheap, for example, adds 2FA for free with all Private Email packages. But be sure to check it’s available with your current email provider. 

In the End, It Still Comes Down to People

People should be every company’s greatest asset. Where business email security is concerned, they can also be the weakest link. That’s why it’s important to not only keep email security tip-top, but to stay vigilant to the increasing amount of threats that can easily hit your inbox and compromise your business. 

The post How To Avoid Business Email Compromise Fraud appeared first on Namecheap Blog.