Business Email Compromise and Social Engineering: What Every Company Needs to Know


Imagine that you are an employee of a small or mid-sized business who handles financial transactions. Company executives regularly send you emails asking you to send money via wire transfer. It’s just part of your job. So, you arrive at the office on a Monday morning to an email in your inbox asking you to wire money to a specific account. How do you react?

If you chose to wire the money without questioning, you could be a victim of what the FBI calls business email compromise. Cybercriminals are targeting businesses of all sizes—including very small ones—with fraudulent emails that are carefully designed to look like they are coming from a legitimate email account, often one associated with a company executive. In many cases, these emails ask the recipient—who has been specifically targeted because of their job function—to wire funds to a fraudulent account, or to send highly sensitive information, such as employee W-2 forms or business account information.

Unfortunately, these kinds of attacks are highly lucrative for criminals and have thus become increasingly common. The FBI reports that total losses due to business email compromise since 2013 have exceeded $5 billion. What’s more, these losses increased by 2,370% between January of 2015 and December of 2016.

So, how can your business avoid becoming another statistic? Read on to find out.

How Business Email Compromise Works

Business email compromise is a prime example of social engineering, fraud that involves manipulating individuals by exploiting their instinct to trust others. When it comes to business email compromise, that looks like using basic information about members of an organization to trick victims into giving up money or sensitive information.

In the example mentioned at the beginning of this post, all a cybercriminal needs to know to carry out a wire transfer scam are the names, titles, and email addresses of an executive and an employee who manages company finances or has access to sensitive information. They can then send an email that appears to be coming from the executive to the employee, asking them to either send money to a specified account or to divulge specific confidential information.

Sometimes, cybercriminals make their scams even more convincing by using malware or other means to gain access to an executive or an employee’s email to understand the common conventions of communication between the two. That way, they can make their fraudulent emails seem even more real and trustworthy. It’s important to know, though, that business email compromise scams can be carried out even without these more sophisticated methods.

Which Organizations Are at Risk?

Really, all organizations are at risk for these kinds of attacks. Small businesses do not fly under social engineers’ radar. In fact, some cybercriminals may specifically target smaller organizations because there are fewer layers of communication between top-level executives and staff with access to company accounts or sensitive information.

It’s important to recognize, though, that the more information that is publicly available about an organization’s staff, the more likely they are to be targeted for social engineering attacks. For instance, if you list the names, titles, and email addresses of your staff on your website, criminals already have what they need to potentially fool an unsuspecting employee.

What You Can Do About It

While having technical safeguards in place can certainly help prevent some of the more sophisticated business email compromise attacks, their primary targets—and thus your organization’s primary points of vulnerability—are people, not systems. Every member of your organization needs to be aware of the social engineering tactics cybercriminals use, and you may need to think through how you verify requests for funds or sensitive information.

To get you started, here are some tips for preventing and avoiding business email compromise and other social engineering attacks:

  1. Be aware of what information you make public. These days, it’s commonplace for organization to publish staff profiles on their websites, and many professionals have LinkedIn profiles that list their current jobs. So, limiting public disclosure of staff information may be difficult. The key, then, is to foster a culture of awareness that any public information about the members of a company can be used against the company in a social engineering attack.
  2. Educate staff on cybersecurity best practices regularly. It’s important to remind staff about cybersecurity basics (beware of links and attachments in emails, create strong passwords, etc.) on a regular basis. Furthermore, be sure to notify your staff when new scams or threats come to light.
  3. Create policies and processes for verifying sensitive communications. A great way to thwart business email compromise schemes is to avoid communication about transactions or sensitive information over email. Granted, this may be easier said than done. Still, think about ways your staff can verify, for instance, whether an email from an executive asking for a large wire transfer is legitimate.
  4. Consider boosting your email security. To keep cybercriminals from spying on your communications to build their fraud arsenal, consider implementing extra security for email accounts, such as two-factor authentication, email encryption, and password managers.

If you have questions about social engineering or business email compromise, feel free to contact us today.