How To Prevent Business Email Compromise and 10 Real-World Examples

Business email compromise (BEC) is a sophisticated cybercrime where attackers infiltrate or mimic legitimate business email accounts to deceive companies into transferring money or divulging sensitive information. And this type of cyber attack is on the rise, threatening every industry, no matter the size of the business.

Email security isn’t just an IT concern; it’s a critical step for doing business in the digital world. A single successful BEC attack can result in substantial financial losses, reputational damage, and operational disruption. Here, we’re breaking down common signs of BEC, real-world examples of BEC scams that cost companies millions, and how to prevent business email compromise.

Common Signs of a BEC Scam Email

Some email scams are easy to spot from a mile away. The sender's address is misspelled, or the domain is different. Or the email contains a generic greeting like "Dear Customer." The email is full of grammar and spelling mistakes. Then there's the links. Hovering over a link can reveal the full URL that doesn't match the supposed company. However, business email compromise scams are designed to trick employees, so, as the FBI states, the red flags are a little different.

In a BEC scenario, cybercriminals often compromise an official email account through spear-phishing, malware, or credential harvesting. Then, they use that account to conduct unauthorized transfers of funds or data, so the employee thinks they are responding to a trusted person or even manager in the company or a legitimate vendor or business partner. These can include:

• Requests for Confidential Information: If an email surprisingly asks for sensitive information, credentials, or any other confidential data, it could be a BEC attempt. Fraudsters often pose as trusted figures to solicit this information.
• Unexpected Payment Requests: Be cautious of emails that request unexpected payments, especially if they ask for wire transfers or changes in payment details. Scammers frequently impersonate executives or vendors in these schemes.
• Urgent or Unusual Requests: Emails that convey a sense of urgency or pressure you to take immediate action, particularly those from high-ranking officials within the company, could be a sign of BEC. This tactic can manipulate the recipient into acting without proper verification.

Learn more about the threat of Business Email Compromise and how it impacts email security in our blog—What Is Business Email Compromise?

How To Prevent Business Email Compromise

Email remains a critical communication tool in business operations. Email security is vital because it protects sensitive information, maintains integrity of business communication channels, upholds customer trust and confidence in your business operations, and prevents costly disruptions by email scams and data breaches.

Besides partnering with a Managed Cybersecurity Services company like Arnet Technologies, the best four ways to prevent a business email compromise include:

1. Employee Training: Regular training programs to educate employees on identifying suspicious emails and understanding the tactics used in BEC attacks.
2. Email Authentication Protocols: Implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance) to help prevent domain spoofing and ensure email authenticity.
3. Multi-Factor Authentication (MFA): Adding an extra layer of security for email accounts by requiring multiple forms of verification to access them.
4. Incident Response Plan: Developing a robust incident response plan that includes procedures for reporting and responding to suspected BEC attempts promptly.

Arnet Technologies provides comprehensive Business Email Compromise services for SMBs throughout Ohio.

10 Real-World Examples of Business Email Compromise Scams

Some of the biggest companies in the world are not immune to business email compromise, even with critical safeguards in place. Here are ten real-world examples of business email compromise scams.

1. Facebook & Google Scam: A Lithuanian hacker tricked employees into wiring money to his own bank accounts held abroad, ultimately costing them $100 million.
2. Scoular Co.: A Nebraska-based company lost $17.2 million when attackers impersonated the CEO and requested a wire transfer.
3. Toyota Boshoku Corporation: This subsidiary of Toyota lost $37 million through a BEC scam targeting their finance department.
4. FACC: Not once, but twice, this Austrian aerospace parts maker fell victim to a BEC scam. In one instance, they lost $61 million after cybercriminals impersonated the CEO and requested a transfer to a fraudulent account. Another attack resulted in a $12 million loss when attackers impersonated the CFO. Ultimately, FACC sued the former CEO and CFOs over the cyber fraud.
5. Mattel: Nearly lost $3 million when attackers impersonated a newly appointed executive and requested a wire transfer.
6. Seagate Technology: Fell victim to a BEC attack where employee W-2 forms were compromised, affecting 10,000 employees.
7. Snapchat: In February 2016, the social media firm Snapchat suffered a BEC attack that breached payroll information, compromising the sensitive data of current and former employees. Snapchat provided free credit monitoring and up to $1 million in reimbursement.
8. Treasure Island: This San Francisco-based homeless charity suffered a $650,000 loss in June 2021 after hackers infiltrated their bookkeeper’s email system and redirected funds intended for a partner organization.
9. Children’s Healthcare of Atlanta: Healthcare is routinely targeted by scammers, especially BEC scams. Pediatric care provider, Children’s Healthcare of Atlanta, was defrauded $3.6 million in a BEC scam where an attacker impersonated the CFO of their construction contractor, J.E. Dunn, redirecting payments to a fraudulent account.
10. Virginia Commonwealth University (VCU): VCU was defrauded close to $470,000 in 2018 when a scammer posing as an employee of construction firm Kjellstrom + Lee provided fake banking details, diverting funds to a fraudulent account.

Why Business Email Compromise Attacks are Hard to Detect

BEC attacks are notoriously difficult to detect for several reasons:

• Low Volume: Unlike other cyberattacks that generate high email traffic, BEC attacks often involve just one or two emails, avoiding detection by email security filters.
• Legitimate Sources: Attackers often use IP addresses with good reputations or spoof legitimate email domains, making it hard for security systems to flag these emails.
• Compromised Accounts: Sometimes, BEC emails originate from legitimate but previously compromised accounts, making the malicious emails appear genuine.
• DMARC Compliance: Attackers can exploit misconfigured DMARC settings or use legitimate sources to bypass authentication checks.

Have you considered Managed IT Services from Arnet Technologies? In addition to 24/7 monitoring and security, our team can help improve efficiency, productivity, and profitability.

Prevent Costly Cyber Threats With IT Managed Services from Arnet Technologies

Business Email Compromise is a significant threat that requires vigilance and robust security measures to prevent. Implementing employee training, email authentication protocols, multi-factor authentication, and a strong incident response plan are crucial steps in defending against BEC.

To protect your Ohio business from potentially devastating financial and reputational harm, consider partnering with the Managed Cybersecurity experts at Arnet Technologies. With a track record of serving diverse industries, from architecture to healthcare and even wealth management, we've provided Ohio businesses the tools and expertise to combat BEC scams for over a decade. Contact our team today to secure your business's operations.