BEC: A Scare for Small Businesses

Not everything is as it seems. On October 31^st, we expect this, but what about every other day of the year?

Sentenced earlier this year to ten years in prison for wire fraud charges, Obinwanne Okeke transferred over $10 million out of a company in the United Kingdom.[1] Not long ago, a family member of mine was closing on her house. In the flurry of paperwork, she received a last-minute email from the closing company notifying her of an account number change for her down payment. Thinking nothing of it, she complied—and still has not been able to recover the tens of thousands lost.

Perhaps you can see the connection. If not, let me make it simple: Business Email Compromise has lost businesses in the US over $2 Billion[2], and even more globally.[3] “Business email compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.”[4] While “tens of thousands lost” may not sound like much for a large corporation, it has long-lasting repercussions for individuals or small businesses. On average, the stakes are even higher. Palo Alto estimates that “the average wire fraud attempted was $567,000 and the highest was $6 million.”[5]

As small and mid-sized businesses continue to experience cyberattacks, it’s not something we can afford to ignore. Through an email address made to look like someone the targeted staff interacts with (potentially a supervisor or vendor), criminals play off the relationships within organizations to get what they want. Who wants to question their CEO or CFO when they request a change of email address or an updated account number? We should.

Multi-factor authentication is foundational to good cyber hygiene, and the same principles apply here. In our business relationships, we need to prepare for the moment when the person we are interacting with is not who we think they are. At a previous employer, we took this seriously by requiring a phone call verification for any emails requesting an account number change (internally or externally) or anything of that nature. By calling the number on record, not an alternative one provided by the potential criminal, we could verify identity and instruction details. In addition to the rules of good cyber hygiene, protect your small business by remembering that not everything is as it seems.

[1] Federal Bureau of Investigation. (2021, April 26). International Scammer Sentenced. News. Retrieved on 26 October 2021 from International Scammer Sentenced — FBI 

[2] Federal Bureau of Investigation. (2020, April 06). Cyber Criminals Conduct Business Email Compromise through Exploitation of Cloud-Based Email Services, Costing US Businesses More Than $2 Billion. Internet Crime Complaint Center (IC3). Retrieved on 26 October 2021 from Internet Crime Complaint Center (IC3) | Cyber Criminals Conduct Business Email Compromise through Exploitation of Cloud-Based Email Services, Costing US Businesses More Than $2 Billion 

[3] Federal Bureau of Investigation. (2019, September 10). Business Email Compromise The $26 Billion Scam. Internet Crime Complaint Center (IC3). Retrieved on 26 October 2021 from Internet Crime Complaint Center (IC3) | Business Email Compromise The $26 Billion Scam 

[4] Federal Bureau of Investigation. (n.d.). Business Email Compromise. Scams and Safety. Retrieved on 26 October 2021 from Business Email Compromise — FBI 

[5] Garbett, J., & Manchanda, S. (2021, October 21). Nightmare Email Attacks (and Tips for Blocking Them). Palo Alto. Retrieved on 26 October 2021 from Nightmare Email Attacks (and Tips for Blocking Them) (paloaltonetworks.com).