Running a business is like herding cats. There are so many different pieces to fix, from chasing sales to managing employees and keeping the cash flowing. It’s easy to get zoned in and forget about the less glamorous stuff – like security.

But here’s the kicker: while you’re busy hustling, the bad guys work overtime to find new ways to rip you off. Take this Business Email Compromise (BEC) scam that’s been making the rounds. 

In 2024, the Federal Bureau of Investigation (FBI), the United States criminal investigative organisation, revealed that businesses worldwide lost more than $55M to BEC. 

This FBI’s finding clearly shows that BEC has become one of the most damaging cyber threats in recent years. 

In this article, we examine BEC in more detail and discuss how businesses can prevent themselves from becoming victims. 

BEC is a type of cybercrime where the scammer uses email to trick someone into sending money or disclosing sensitive company information. 

The scammer poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. 

Unlike phishing, which often uses mass emails, BEC attacks are highly targeted and personalised, making them harder to detect.

BEC attackers are strategic and patient, often gathering information about their targets for weeks or months. Here are the most common tactics:

Spoofed email addresses: Attackers create emails that closely resemble those of trusted contacts or organizations. For example, “[email protected]” might be spoofed as “[email protected]” (using an “rn” to mimic “m”).

Compromised accounts: Hackers may gain unauthorised access to legitimate email accounts and use them to send fraudulent requests, making their messages seem credible.

Urgency and authority: BEC emails often create a sense of urgency (“Transfer the funds immediately to secure the deal”) or invoke authority (“This is the CEO”) to pressure victims into acting without verifying.

Invoice fraud: Cybercriminals intercept legitimate invoices, altering bank details to redirect payments to their accounts.

Conversation hijacking: Attackers monitor email threads and insert themselves at strategic points, making their messages appear as a continuation of ongoing discussions.

Detecting BEC attacks requires vigilance and attention to detail. Here’s what to watch for:

Inconsistent email addresses: Double-check sender email addresses for subtle spelling errors or domain changes.

Unusual requests: Be cautious of unexpected requests, especially those involving financial transactions, sensitive data, or password resets.

Changes in communication style: Look for unusual language, grammar mistakes, or a tone that doesn’t match the sender’s typical style.

Urgency or threats: Be skeptical of emails pressuring you to act immediately or face consequences.

Out-of-band requests: Verify requests through a secondary communication channel, such as a phone call, especially when dealing with high-stakes transactions

Proactive measures can significantly reduce your risk of falling victim to BEC:

Enable multi-factor authentication (MFA): MFA adds an extra layer of protection, making it harder for attackers to access email accounts.

Train employees and teams: Regularly educate employees about BEC tactics and how to spot suspicious emails. Awareness is your first line of defense.

Verify requests: Always verify financial or sensitive requests through an independent channel, such as a direct phone call to the requester.

Implement email security solutions: Use advanced email filtering tools to detect and block spoofed emails and suspicious attachments.

Monitor vendor relationships: Keep a close eye on vendor communications and verify any changes in payment instructions.

Don’t act hastily: Pause and verify the request with the supposed sender before taking action.

Report the incident: Notify your IT team or service provider immediately to investigate the email and mitigate further risks.

Alert your bank: If funds have already been transferred, contact your bank to initiate a recovery process as quickly as possible.

BEC attacks are a growing threat, but you can protect yourself and your organisation with the right knowledge and practices.

Always remain skeptical of unsolicited or unusual email requests, especially those involving sensitive information. You can stay one step ahead of cybercriminals by staying vigilant, fostering awareness, and implementing robust security measures.