Cybercriminals Are Invading Corporate Inboxes: What Small Businesses Can Do


Behind every business is a group of individual employees. And, in most cases — and for most firms — those individuals use their work, or even personal, email accounts to conduct business.

That one fact alone makes them a prime target for bad actors and scammers.

While digital fraud becomes increasingly sophisticated due to the democratized use of artificial intelligence (AI) and the rising industrialization of the fraud space by organized crime groups, or “scam factories,” traditional social engineering methods including business email compromise (BEC) attacks and malware injections remain a critical risk to protect against in today’s landscape.

Per the most recent FBI Internet Crime (IC3) Report, BEC attacks in the U.S. last year resulted in $2.9 billion dollars in adjusted losses annually, with the FBI receiving over 21,000 complaints; while malware attacks during the same period represented adjusted losses of more than $59.6 million.

And per the report, many malware and BEC incidents tend to go unreported.

Particularly for small and medium-sized businesses (SMBs) that may have modest or no cybersecurity plans in place, BEC attacks and malware scams can represent some of the most financially damaging online crimes.

After all, the prevalence of corporate devices and accounts makes them an attractive target for bad actors deploying a “spray and pray” approach to compromising organizational defenses. By infecting a single device, cybercriminals can frequently gain access to all accounts and wreak havoc from inside a firm’s own walls.

Read moreCriminals Target Big Ticket Transactions in Commercial Banking Fraud Surge

Cybercriminals Are Flocking to Corporate Inboxes  

Fortunately, the situation isn’t hopeless. SMBs can take steps to protect themselves from malware and BEC scams by doing embracing tactics that include implementing robust cybersecurity software, securing networks and devices, educating employees, implementing multi-factor authentication, and establishing clear communication protocols for verifying sensitive transactions.

“We’ve always had social engineering attacks, but with the advent of AI, it’s much easier to create a bot that will have a credible conversation with a victim and convince many victims at the same time to share their credentials, transfer money, and do other things that they wouldn’t normally do,” Maciej Pitucha, VP of product and data at Mangopay, told PYMNTS.

“Data is usually the answer … Building a successful fraud prevention solution requires lots of data, lots of expertise,” Pitucha added.

Earlier this year (Feb. 26), the National Institute of Standards and Technology (NIST) published their Cybersecurity Framework (CSF) 2.0: Small Business Quick-Start Guide, which detailed five key pillars for businesses to adhere to when managing for cybersecurity risk.

They are: Identify, Protect, Detect, Respond and Recover; and supporting the five pillars is a central core of effective cyber governance.

Per the NIST framework, SMBs need to be asking themselves three key questions in order to construct a cyber governance program. The first is that, as the business grows, how often is leadership reviewing the existing cybersecurity strategy? Second, the NIST recommends performing a self-assessment to identify whether firms need to upskill existing staff, hire talent, or engage an external partner. Third, the agency stresses the importance of employee education around both internal policies and the threat landscape more broadly.

Read more: Scaling Effective Cyber Hygiene Throughout Your Business 

Combining Employee Education With Robust Defenses

 As emphasized by many of the risk management leaders PYMNTS has spoken to, the first line of defense for today’s businesses is their own employees, making individual education around next-generation attack tactics, and the best practice methods to combat them, more important than ever.

“After-action reports will help you understand what your business continuity plan was and where it failed … If you haven’t stayed up on your hygiene, that will come out in the report. That’s why running red team exercises or simulated events is so important,” Matanda Doss, executive director and lead information security manager for commercial banking at JPMorgan, told PYMNTS in December.

Establishing employee training programs around phishing awareness, password security and social engineering are crucial, as is an ongoing emphasis on handling sensitive data responsibly.

“The No. 1 thing that I would start with is good cyber hygiene,” Rosa Ramos-Kwok, managing director and business information security officer for commercial banking at J.P. Morgan, separately told PYMNTS in another December conversation.

PYMNTS Intelligence found that 82% of eCommerce merchants endured cyber or data breaches in the last year. Forty-seven percent say the breaches resulted in both lost revenue and lost customers.