Your Business is Worth Protecting from Email Compromise

The FBI calls it the $55 billion scam.

Business email compromise (BEC) is rampant and getting worse, with new AI tools making phony emails harder than ever to detect. You and your company must take email compromise seriously and take concrete steps to protect against it. 

How Email Compromise Works

1. Thieves hack a key email account, one from either your company or your supplier.
2. They monitor it for days or even weeks to learn and copy your business processes and forms.
3. They put together a convincing email and invoice and send it from the compromised account or one that looks a lot like it.
• AI tools make it easier than ever to craft a convincing email and can even clone someone's voice.
4. They send it to exactly the right person at your company – remember, they’ve been monitoring your processes and know how invoices flow in and out.
5. That person sends it to the finance team, which pays the fake invoice and sends money (and valuable account information) to the scammer.

All organizations are vulnerable and may not have sufficient protections in place. Small businesses are particularly at risk as they cannot absorb cash losses.

How to Prevent Email Compromise

The easiest steps to protect against email compromise are things you can build into your daily routine.

• Always verify through other channels that you are communicating with your legitimate business partner. That means using a phone number you know – not one given in the email – and not replying to the suspicious message.
• When the bank calls to confirm a wire request, carefully consider it and double or triple check the request internally before approving. 
• Always double check the domain name on email addresses that asks for a wire transfer or other payment.
  • For example, email addresses from a supplier called Medco LLC should end in “medcollc.com.” A scammer could easily create an address that ends in “medco11c.com.” You might not see it at first glance, but look a little closer and it’s clearly false.

Here are additional steps you can take to protect your company from BEC:

• Require your employees to complete annual training on business email compromise, the potential for damage and ways to protect the company.
• Avoid free, web-based email. Instead, create a company website domain and use it to establish company email accounts.
• Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information and out-of-office details. Don’t make it easy for scammers to learn your processes.
• Be suspicious of requests for secrecy or pressure to take action quickly.
• Consider additional IT and financial security procedures and two-step verification processes.
  • Ask your IT team about separating your computer devices from Internet of Things (IoT) devices like a connected doorbell or appliance. 
  • Disable the Universal Plug and Play protocol (UPnP) on your router.
• Beware of sudden changes in business practices.
• Example: If a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via their company email.

If you have questions about how business email compromise happens or how you can prevent it, Pinnacle’s information security, treasury management and small business support teams can help.