Fraud Awareness Week: Business Email Compromise

Companies can spend a lot of money on cyber security. Business owners can fortify their servers and firewalls. Business owners can talk about fraud on a regular basis and require annual fraud training. Business owners can do everything right and sleep like a baby at night knowing their money and data are protected. The one thing you can’t protect against is social engineering and one of your employee’s clicking a link or sending money when they should not.

Business email compromise (BEC) attacks cost companies billions of dollars every year. According to studies, BECs accounted for 73% of all reported cyber incidents in 2024. According to the FBI, the average amount lost in a BEC attack is over $125,000. A BEC occurs when an email or text is sent to an employee requesting that employee send money or click on a link. When the employee clicks on the link, the bad actor gains access to the company’s computer system, usually unbeknownst to anyone. Once in, the bad actor can sit and wait or start attacking the computer system by stealing data or money.

Frequent training can help employees from becoming victims. Bad actors prey on employees by using urgency and/or fear in their messaging requests. Making sure your employees verify the sender and any request for money before acting upon the request will help the business from losing data or money. The most common way employees are tricked into sending money is having the bad actor send an email that looks just like the real email, but there is some slight modification. Some examples are johnsmith@xyz instead of john.smith@xyz, john.kelley@xyz instead of john.kelly@xyz,  randorn@abc instead of  random@abc, and one of my favorites amazon.com instead of amaz0n.com (replacing the “o” with a zero). These are just a few examples of how employees are tricked. Before AI, you could typically spot a fraudulent email due to grammatical errors. However, with Generative AI, BEC messages now look more convincing than ever. According to a study, an estimated 40% of BEC emails were AI-generated in 2024.

A growing trend is using trusted third-party vendor email addresses to change the contact person, payment address, or banking information for the supplier. These types of attacks rose 66% over the first half of 2024. A good way to avoid this is to have your employees call the vendor by the current contact information you have in-house to verify any changes in their vendor’s payment information. Recently, bad actors have been initially calling to change the contact person’s name and then waiting several weeks to call and change the payment information. This way, when the business calls to confirm the payment changes, they call the bad actor since their name is now listed as the contact person.  

There are many ways you can avoid becoming a victim of a BEC attack. One of the best ways is to discuss these types of attacks on a regular basis within your organization by sending frequent emails or having signs up around the office. Having a good IT department that regularly send test emails to all employees to see which employees need follow-up training is another good way to avoid falling victim. HHM is also available to provide a short presentation on Occupational Fraud and the current fraud trends in the business world. Please contact HHM if you would like to schedule a time. November 16-22 is International Fraud week, but we must talk about fraud all year round if we don’t want our business to become a victim of fraud. 

‍