When Email Becomes SMBs’ Biggest Security Threat

The business email compromise (BEC) scam is a cybersecurity threat to businesses of all sizes, and the financial and security implications of a successful attack aren’t isolated to its target.

The BEC scam can manifest in many forms. For instance, fraudsters can infiltrate the email systems of a firm’s legitimate suppliers to send emails from those vendor domains with a request for payment. In another scenario, fraudsters can infiltrate a company’s email system to track everything from the email addresses of company partners to the tone and style of voice an executive uses when speaking with suppliers.

It’s all in the name of siphoning company cash from accounts payable operations, and experts say the threat will continue to increase.

“The effects of this crime are far-reaching, and the dollar amounts involved are staggering,” said FBI Director Christopher Wray in a statement last September about the BEC scam.

According to the FBI, more than $26 billion in losses linked to BEC were reported between July 2016 and September 2019. Meanwhile, the Better Business Bureau said 80 percent of businesses received at least one kind of BEC scam email in 2018.

In a recent interview with PYMNTS, Tim Sadler, co-founder and CEO of cybersecurity firm Tessian, said the BEC scam is one of the most significant risks facing businesses today — and one of the easiest for fraudsters to achieve.

“It is so easy for attackers to pull off these kinds of scams,” he said. “It’s as simple as an attacker going onto LinkedIn, looking at who works in the finance department of an organization and impersonating the email address of a trusted third party, colleague or supplier — and all you have to do is send a fake invoice.”

A Sophisticated Attack

While the strategy might be simple, fraudsters are increasingly using more sophisticated strategies to find success. Human psychology is a key component of this tactic: Sadler pointed to one example of a fraudster impersonating a CEO and requesting immediate payment into a seemingly legitimate account. In this scenario, the attacker wields both the vulnerability of a subordinate and the emotional demand for immediate action to trick an employee.

As the threat grows more sophisticated, so do cybersecurity initiatives. As Sadler explained, cyberattackers will often use the BEC tactic rather than attempt to steal a company’s bank credential information, due to banks’ elevated security measures.

“Banking portals usually use some kind of two-factor authentication, which makes it a lot harder to harvest all of the information required to gain full access,” he explained.

Electronic payment technologies, too, are increasingly focused on security and fraud mitigation efforts. Unfortunately, Sadler noted, it often doesn’t matter whether a fraudster is requesting a wire transfer or wire card payment.

“It really comes down to where you’re directing that payment,” he said. “A payment method is only as secure as where you’re sending the money. If you’re sending it to the wrong bank account, then that money is gone, and it can be very difficult — and sometimes impossible — to recover it.”

Beyond The BEC

Sadler noted that while the BEC might be among the most common and well-known strategies that cyberattackers use to exploit insecure B2B transactions, it’s not the only security risk related to businesses’ reliance on email. Attackers also turn to developing fraudulent portals to compromise professionals’ email credentials, for example. Once access to an email account is gained, a trove of sensitive data can be discovered.

“You have to assume that people in organizations will send sensitive data across email,” said Sadler. “Given the volume of emails businesses send and receive every day, the propensity for error is really high. If you make an error one in 1,000 [times], that can still result in a very bad outcome for the company.”

Indeed, one misstep can lead to a company sending a significantly large sum of money to a fraudster, a transaction that could mean the difference between survival and bankruptcy. This is particularly true for smaller companies, which Sadler said are less aware of cybersecurity risks like the business email compromise, and have fewer resources to promote education across their companies.

Just as fraudsters take advantage of human vulnerabilities within an organization through methods like social engineering, Sadler noted that humans are a critical component of safeguarding companies. Education is imperative, and professionals must understand what action to take when an email is suspicious, or when a request for payment is received via email.

However, technology plays a significant role in safeguarding firms, too, he said. When it only takes one security failure for a company to risk its entire existence, a multi-pronged approach is key.

“The BEC can happen to anyone — to any company using email,” explained Sadler. “This really is one of the most common and damaging cybersecurity risks for a company. The only way that they can deal with it in a fail-safe manner is to use advanced technology to filter these spearphishing emails coming through. But training and awareness is also a great stopgap.”