The internet has enabled a variety of businesses to open and expand in ways that many previously thought were impossible. But nothing is without risks; the internet is constantly evolving, bringing with it new security challenges.
One of the most common threats to businesses of all sizes is business email compromise. Often referred to as BEC, these attacks are designed to steal money or data from a business by tricking the unsuspecting recipient into transferring money or opening a malicious file. And these scams are frequently successful; in fact, BEC attacks increased by 81% last year.
Despite the seemingly high success rate, there are ways to protect yourself and your business from falling victim to a BEC attack. It requires education and continuous training for every employee within your business. And the good news is that education and training are working!
What Does Business Email Compromise Look Like?
It helps to know what to look for when it comes to an email scam. There are three telltale signs of a BEC attack:
“It’s our natural tendency as humans to trust,” said Michael Lawlor, President, Netwide Technical Solutions based in Pembroke, MA. “But trust your instincts – if it doesn’t seem right and something is off about a particular email, you’re probably right to be suspicious.”
Verify, Verify, Verify
With seemingly obvious signs of a malicious email, how do so many businesses find themselves falling for it?
“We hear a variety of reasons from ‘I was distracted’ to ‘I was rushing’,” said Kristen Shaughnessy, VP, Treasury Management Officer at Rockland Trust. “The fraudsters know what they’re doing; they know when to send these emails to catch you off guard. This is why it’s so important to stay vigilant and always remember to verify.”
One common BEC scheme is an email posing as one from a trusted vendor. Verifying any vendor transaction requests directly is a great way to avoid falling for a BEC scam. Create a list of confirmed contacts at each of your vendors to ensure you can speak with someone you know and trust to verify what you received is a valid transaction.
But beware of a second trap: Many email scams will include a fake phone number in the email for you to call to verify. Never call the number provided in an email you believe to be a scam; use the existing phone numbers you have on file and speak with your verified contact.
“If you get a valid email with a non-valid request, you need to verify somewhere outside the email,” said Shaughnessy.
Seven Steps to Prevent Business Fraud
What to do if You Fall for a BEC Scam
In the security world, it’s not a question of if, but when.
“A lot of companies think they’re too small to be a target, but your money is just as green as theirs,” said Lawlor. “It doesn’t matter if you’re a multimillion-dollar company or not, $20,000 is $20,000.”
Though you can take every step to protect yourself and your business from falling victim to a BEC attack, there is always the possibility that it can still happen — and you need to be prepared for that.
“These scams are real and they happen all the time. We’ve worked with a number of companies that have been tricked into falling for one of these scams,” said Shaughnessy. “When that happens, it’s important to acknowledge you made a mistake. In fact, making it known that something happened is really important to try to stop the risk from spreading.”
If you suspect your information may be compromised as a result of a BEC scam, there are three things you should do immediately.
If you fall for a BEC scam, remember that you’re not alone. Take these steps to mitigate the impact on your business and learn from the event. Recognize what happened and put processes into place to try to prevent it from happening again in the future.
Creating a Culture of Continuous Education
The Nigerian Prince email scams don’t have the same impact today because of education — people shared their experiences so others could learn from them. This culture of knowledge sharing is one every company should adopt and implement.
“If you don’t create a culture that encourages employees to share when they make a mistake, you can lose valuable time to stop a scammer from making off with your hard-earned money,” said Lawlor. “And this culture should be rooted in continuous education. Roughly 95% of all compromises are because of human error, so consistently providing reminders and training to employees on email scams can help reduce the risk of falling victim to one in the first place.”
How often should you be training your employees on email security? A good rule of thumb is that every new employee should receive email security training when they start, and all existing employees should complete email security training a minimum of once per year (ideally every quarter).
Be Smarter Than the Scammers
There is no season for scammers, and scams are getting more creative. Don’t let curiosity hurt the business. Protect yourself and your business from falling victim to BEC scams by educating both yourself and your team on what to look for. Slow down and verify that any email or request received is legitimate. A timely phone call to your existing contact can prevent a costly mistake in dollars and reputation.
When in doubt, call your banker before you transfer any money. They can help you verify and determine if the email request you received is valid.
