This article was written for our sponsor, Technology Associates.

According to the Federal Bureau of Investigation, business email compromises, or BECs, have cost companies more than $26 billion from 2016 through 2019 alone. Additionally, over the past few years, the number of reported business email attacks has skyrocketed, totaling more than 160,000 — excluding many attacks that still go unreported.

While anyone can be a target of a BEC attack, some industries are more vulnerable than others.

“Any business that’s moving funds around, regularly transferring money or conducting financial transactions online, those are the biggest targets,” said Eric Hobbs, CEO of Technology Associates, a full-service technology consulting firm based in Cary. “You’ll also see broader-based firms experience something like a CEO impersonation, where they email the office administration asking for something like gift cards to be sent to a certain address.”

While many businesses are getting smarter about business email compromises, the scam continues to grow. From 2018 through 2019, the FBI found there was a 100 percent increase in identified global exposed losses. Part of that increase stems from greater awareness around the issue, which tends to cause more reporting, but that number still doesn’t represent the full scope of BECs.

For those on the lookout for potential attacks, there are five types of email compromise attempts to be aware of:

  • False invoices, which request wire funds to incorrect accounts
  • CEO fraud, which happens when credentials are stolen then used to request money or items
  • Account comprise, which is similar to CEO fraud but on an employee level
  • Attorney impersonation, in which hackers pretend to represent legal counsel and request wire transfers
  • Data theft, when fraudulent emails request sensitive documents like W-2s or personally identifiable information

Hackers use a variety of techniques to target victims, whether it be spoofing by using an email address that looks legitimate or similar to the victim’s, secretly installing malware, or using psychological manipulation to convince victims to share sensitive information. Additionally, if individuals use the same password for multiple platforms, it opens up the possibility for multiple breaches.

“Say I register my LinkedIn account using my work email and password. LinkedIn gets hacked, and now the hackers have my login information,” Hobbs said. “Now, it’s easy for them to backtrack and see what email system I’m using to log into my email and formulate an attack plan.”

“I had an acquaintance of mine in real estate who was a victim of such an attack. Within a two-week period of time, they had two customers tricked into diverting funds for a real estate transaction into a hacker’s bank account.” Hobbs continued. “The hackers were sitting there watching, waiting for an email requesting the transfer, then right at the last minute, they’d send an email back to the purchaser and say, ‘Oh by the way, we’ve got new bank account routing information. Here it is.'”

Hobbs’s example is par for the course when it comes to business email compromises. Once a hacker has access to an individual’s log-in information, they’ll wait and watch, and, if your dealings could benefit them in any way, they’ll put a special rule in place to divert traffic from your email to their own, continuing to respond as if they were you.

“These hackers are basically tricking people to reroute money, then that money is gone forever, and there’s very little chances of getting it back. That is a disaster,” said Melanie Halloran, director of operations at Technology Associates. “We’ve also had people tricked into buying a bunch of gift cards. It’s very scary to think about.”

With both finances and reputation at stake, it’s vital for every employee to practice the full extent of cautionary measures to avoid a business email compromise. First and foremost: good password hygiene. That means not only using complex passwords, but also changing the password you use for each system or platform.

Multi-factor identification can be an additional lock in the log-in process, preventing outside parties from breaching accounts. In Hobbs’s opinion, the chance users who implement both of these security strategies are compromised is “pretty close to nil.”

In addition to good password hygiene and two-factor authentication, individuals are also advised to double-check email URLs for misspellings, refrain from sharing any login credential or personal information through email, and regularly monitor bank and credit card accounts.

If a company still practices poor security culture, like not instituting password requirements, not forcing users to change passwords after a certain period of time and not promoting awareness of common scams, then business email compromises are all the more likely.

In the instance an email within your company is attacked, you should proceed quickly and carefully — especially in regard to a password change.

“The best thing to do if you’re compromised is have somebody take a look forensically at what’s going on,” Hobbs explained. “Say a hacker has cracked your email address, and they put in a rule that forwards all of your incoming mail to a different mail account that they own without you knowing. When you reset your email password and get an email confirmation that the password changed — and possibly what the password is — now that information is getting shuffled off to a hacker, too.”

For this reason, before resetting your password, it’s crucial to make sure there are no rules set up that might allow a hacker to access the new password, then communicate with your provider to ensure that all access is shut off.

While there’s no way to wholly guarantee your company will be safe from business email compromises, developing strong security measures and a culture of awareness can significantly decrease the odds.

This article was written for our sponsor, Technology Associates.