Security Market Trends: Business Email Compromise

Cyber hacks are nothing new, but it’s shocking how much money one cyber hack can cost a company. What else is startling is how cyber hackers are doing it. They aren’t breaking into your bank account or your company’s infrastructure and attacking with brute force. Instead, they are using what is called business email compromise (BEC). And they are convincing you to give them money, but how?

The Scam at Work

Recently, Mark, the head of a real estate company in Seattle, Washington was duped for $50,000, and all it took was a single email. It wasn’t an elaborate hack (not in the sense that you’re probably thinking). All it took was a little bit of research by a hacker and good timing.

Mark and his partner were discussing a payment. Hackers had been watching their interactions and decided this was the time to make their play. The hacker sent Mark an email on how to wire the money to the same bank as his partner, but to a different account. Since the two had previously been talking about it, Mark didn’t think twice and sent over the money.

How Much Money Is At Stake For Companies?

Although Mark’s interaction only (and we use “only” cautiously here) cost the company $50,000 dollars. This kind of email scam has accounted for company losses far more than just $50,000. According to an NPR interview, James Abbot, Supervisory Special Agent for the FBI mentioned that in 2016 business email compromise schemes cost companies upwards of 361 million dollars. In 2018, that number had jumped to $1.2 billion. And that only accounts for the money they are aware that was stolen.

Business hackers are far more keen on learning about their targets before they pounce. Once hackers break into a companies’ email system, they sit around and watch for a bit. They learn who is sending accounts receivable/payable and search for the perfect time to strike. They trick employees who handle small and large transactions to wire money to phony accounts. And oftentimes, once the money is gone, it is impossible to get back.

The FBI for instance will only go after large sums of money. Mark’s $50,000 was considered small potatoes compared to some of the BEC schemes they are attempting to track down. And oftentimes, such as in Mark’s case, people who are duped into giving away money to fake people feel too insecure or dumb to tell anyone about the hack.

How Should Your Company Protect Itself?

Instead of hackers using sophisticated tactics to get your companies’ money, they are using your employees human nature and trust and turning it against them. So how do you protect against that?

• Be suspicious - In Mark’s case, the unknown account should have been a warning flag. Also be wary of unsolicited attachments in emails, even from people you know.
• Use business credit cards when applicable - There are laws to limit your liability for fraudulent credit card charges, but you may not have the same level of protection for your debit cards. Additionally, debit cards draw money directly from bank accounts, unauthorized charges could leave you with insufficient funds to pay other bills.
• Make sure your information is being encrypted – Before you provide any personal information make sure the URL begins with "https:"(instead of "http:") and a padlock icon. If the padlock is closed, the information is encrypted.

Keep your money and your employees safe by letting them know what they can do to protect themselves and the company. And if you need a company to look after more than just your money, reach out to AvantGuard to see what third-party monitoring services can do for you.