The Imposter Insider: Business Email Compromise

Ever watched a sci-fi movie where aliens disguised as regular people infiltrate society to take over? Business Email Compromise - a practice cyber thieves use to hijack company email - is a little like this.

And if you're not vigilant, these scammers posing as email accounts you're familiar with can make off with the keys to your company network, sensitive data, and more.

To help you differentiate between the real and fake accounts, we examine how they work, how to sniff them out, and what you can do to mitigate the damage.

Phase One: Research 

Cybercriminals target a business with phishing emails. Perhaps you're familiar with these emails that typically alarm the recipient into clicking on a link or downloading a file with bogus claims of viruses or bank alerts?

Once an employee falls for the phishing email, the scammer secretly installs malware into their device to access the company email network and databases. 

With unencumbered access, the scammer can log in at will to study payment schedules, vendor lists, and anything else of interest, paying close attention to emails from the CEO about payments and the CEO's schedule, which comes in handy later.

Phase Two: Grooming 

Armed with research, the scammer begins an email relationship with a targeted employee. This is typically someone with the authority to make payments, such as an Accounts Payable supervisor or someone in management.

The scammer may pretend to be an employee of a trusted vendor—and may even call the targeted person on the phone to create a more legitimate façade.

Phase Three: Transfer 

Once the scammer feels comfortable and establishes a relationship, they fake an email from the CEO or someone else high up in the company directing the target to make a wire transfer to the trusted vendor's account. 

A typical email message might be something like:

Hi Jane,

I'm on the road but need your help processing a late payment for XYZ company. We can't afford to miss it, or our delivery will be quarantined. The link enclosed can be used for the payment.

This usually happens when the CEO is out of town, making the request challenging to verify. And the transfer link, as you might guess, is directed to the scammer's account and not the trusted vendor's. 

What's more, if the transfer occurs unnoticed by anyone in the company, and many do at first, the scam continues, and the losses can quickly add up. In one of many noteworthy business email compromise cases, Toyota lost more than $35 million dollars.

Unfortunately, by the time the scam is spotted, the cybercriminal—and the company's money—is usually gone for good. 

To Avoid Becoming a Victim

Fortunately, there are ways to avoid falling for a business email compromise scam. First, train your employees to verify any wire transfer request with the email sender by phone or in person, if possible.

This holds especially for employees who process payments or managers with the authority to do so.

If they call the number provided in the scammer's email, they may be connected with someone in on the scam, so a best practice is to use the phone number you have on file for the vendor who's being impersonated.

In addition, be wary of new wire transfer instructions or routing requests that appear from out of nowhere. They may be a trick and are typically prefaced with messages from scammers, such as "Hi, I'm a new representative at XYZ bank and have taken the place of your account contact who's left the company…."

Beyond the messaging, carefully check any wire requests for slight changes in email addresses or different account numbers than the ones you're accustomed to dealing with. These are obvious red flags and sure signs of a scam. 

Verify any suspicious requests with internal partners, such as the finance team. And always go through proper channels. 

Above all, if a request doesn't feel right or your employees have any suspicions that an email may be fake, advise them to err on the side of caution and notify management.

As an added security measure, consider information security awareness training that helps your employees identify signs of phishing. A search online of the term 'phishing awareness training' or 'information security training' provides a variety of vendor options.