How businesses can guard against email scams

Companies can implement specific procedures to help mitigate the impact of some phishing and cyberattacks.

Criminals running business email compromise schemes often conduct well-researched and coordinated attacks on target companies. (Photo: momius/Adobe Stock)

According to the FBI’s Internet Crime Report, business email compromise (BEC) is one of the most financially damaging online crimes. In 2022, there were nearly 22,000 related complaints, and businesses lost more than $2.7 billion to these scams. BEC is a scam that targets businesses rather than individuals — although there are similar types of consumer-focused scams called email account compromises.

While BEC always involves taking over or imitating a business email account, the scheme can play out in several ways. For example, the scammer might take over or imitate an email from an executive. They might then reach out to an employee on the finance team with an urgent request for a money transfer and have funds sent directly to the scammer’s account. Or the fake executive might ask an employee to buy and send them gift cards, which they can quickly cash out or resell.

In some BEC schemes, the criminals attack from a different angle. For example, rather than targeting a business directly, they could compromise a vendor’s email account and monitor the email account activity. After the vendor sends a legitimate invoice, the scammer quickly follows up as the vendor, apologizes for a mistake in the payment information and asks for the payment to be sent to a different account.

BEC is not always about the money transfers though. Some BEC attackers might be after employees’ personal information or data about the company, which they can then sell on the dark web or use as the basis for a different attack in the future.

What could happen if a business is targeted?

Unlike the scam emails that get sent to thousands of people at a time, the criminals running BEC schemes often conduct well-researched and coordinated attacks. For instance, the scammer might spend days learning about the company and monitoring its social media activity. They might even wait until the business is at a conference before springing into action and can use the trip as the basis for an urgent request. They might pose as the business owner for example and send an email with an urgent wire transfer request because a merger or acquisition was just made and there’s a need for the money right away. If an employee responds, the business might be out tens of thousands of dollars.

Scammers are also quick to test new methods just as successful businesses pivot to address changing circumstances. In February 2022, the FBI warned about the rise of BEC schemes involving virtual meeting platforms during the previous three years. The scammers send a meeting request as the CEO or CFO of a company, use deep fake audio to replicate the executive’s voice, and then request a funds transfer during the meeting or in a follow-up email.

How does phishing play a role?

In most instances of BEC, as well as other cyberattacks, phishing plays a part in the fraud. However, even when phishing is not the leading cause of an attack, it’s often used by cybercriminals in preparation for the actual attack. To protect against phishing, BEC and other cyber threats, businesses should be cyber risk aware. Training employees and implementing email security protocols can help prevent these types of attacks and reduce losses.

What steps can be taken to help to protect the business?

Establish an Electronic Funds Transfer (EFT) Policy

This policy requires all employees to confirm that any emails requesting transactions like a direct deposit, or an electric funds transfer are legitimate. Employees can verify if these requests are authentic by calling the sender directly, whether that’s another employee, vendor or supplier. It’s also important that employees do not contact the payee with any email address or phone number that is included in the electronic funds transfer request. This contact information can easily be fake and a part of the scam. Employees should always rely on contact information that comes from the business.

In addition, it is important to make sure employees can recognize red flags in scam emails such as look-alike or different reply-to addresses. Scammers might send an email from an address that looks very similar to the company’s email such as ceo@c0mpany.com instead of ceo@company.com, or they can make the from address look exactly like the company’s, but the reply-to address is the scammer’s email account.

Another red flag involves short messages that create a sense of urgency and a need for secrecy. The scammers could use a false pretense to ask for a quick response to an urgent request and keep recipients from asking others for advice. For example, the threat actor might ask an employee to buy 15 gift cards today and not tell anyone because they’re going to be a surprise thank-you gift for the team tomorrow.

Businesses should also beware of unusual timing and requests for changing account information. The attack could start during off-hours or a holiday, which plays into the idea that it’s an urgent request and could keep the recipient from verifying details with others. While a change in the payment instructions, direct deposit forms or other account information could be legitimate, it is also a red flag. It’s important for employees to try to verify the request by phone using a number that’s not listed in the email.

Check the real sender domain in emails

Many BEC scams are often difficult to catch because they rely on a mixture of technological know-how and social engineering — the psychological manipulation of someone. For example, an employee may receive an email that looks like it was sent from your vendor with a link to download and pay an invoice. However, this link might open a malicious webpage or harmful content. In situations like this, employees need to verify that the sender is legitimate.

To verify an email, it’s important to double-check the email address from the sender. Many scammers use names that look like they’re from someone in the company. Employees can also hover over the email address and look at the domain that the email is coming from to make sure that it’s from a trusted source. This includes hovering over any embedded links within the email to see the URL. If it does not match with what is displayed in the email or the person or company that’s sending the email, it’s likely phishing.

Protect email domain and authenticate emails

There are three email security protocols that can help prevent phishing attacks by providing proof that an email is legitimate. While each can provide adequate protection, it is recommended to combine all three protocols for the best results.

The Sender Policy Framework (SPF) protocol restricts who can use an organization’s email domain, while the DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication practices ensure that the content of an email has not been altered.

The third security procedure is called Reporting and Conformance (DMARC), which ties SPF and DKIM together. It provides instructions about what to do with an unauthenticated email (no action, quarantine or reject).

Use multi-factor authentication to avoid phishing attacks

If a phishing attack is successful in stealing user access information, multi-factor authentication can help prevent the attacker from gaining access to the computer systems. With multi-factor authentication, there’s a greater need for more information or details in addition to login credentials. For example, it may require a PIN or approval from another device to authorize the login.

Create a phishing training and awareness program

Training is the best way to prevent a BEC attack and should include education on the definition of phishing attacks with examples, regular testing of employees’ knowledge, as well as resources and information on what employees should do if they think they’ve fallen for a phishing attempt. Businesses may also want to have additional training for executives and finance teams as they are often targets for BEC attacks.

There are also different training tools businesses can use. For instance, many scammers start an attack by trying to trick someone into installing malware that they can use to take over or monitor an email account. Some software vendors offer free phishing simulation tools that companies can use as a part of their ongoing training.

What to do if the company falls victim to a BEC attack?

After a BEC attack, the business should immediately contact the financial institution to see if it can reverse the transfers or payments. Companies can also work with their IT team to make sure devices and accounts are secure, which may involve changing passwords and updating security measures. Additionally, the business should report the incident to the FBI’s Internet Crime Complaint Center and include as many details as possible because the report can help the FBI track and stop these types of crimes.

From phishing attacks to ransomware, businesses of all sizes and individuals face many cyber risks. That’s why it’s important to partner with an experienced insurer that can help protect business operations. Cyber insurance should be an important part of any company’s incident response plan with a holistic approach that provides coverages encompassing data breaches, ransomware and business interruption.

Threats to cybersecurity should be taken seriously for the safety, security and stability of business operations and industry success. Companies must prepare and have tactics ready to go in case of an incident because it is likely that any business can be attacked.

Anthony Dolce is Head of Professional Liability and Cyber at The Hartford. He frequently speaks at cyber-related events around the country, authors thought leadership pieces and serves on several insurance industry groups. He holds the Certified Information Privacy Professional (CIPP/US) and the Registered Professional Liability Underwriter (RPLU) designations.

Related:

Ransomware-as-a-service tops evolving global cyber risks

4 ways cybercrime is evolving as risks increase