How to Protect Your Company from Business Email Compromise

Business email hacking is a serious risk to businesses of all sizes and industries. Known as a business email compromise, or BEC, it is a type of social engineering fraud that involves a hacker gaining access to an employee’s business email account. Posing as the employee, the hacker tricks others into executing fraudulent wire transfers, gift card purchases or other financial transactions.

Often, business email compromise hacks involve the perpetrator impersonating the company’s chief executive officer or other high-ranking employee. This tactic serves to intimidate the lower-ranking employee who receives an email from the executive directing the employee to make a time-sensitive wire transfer of funds. Often, the instructions say the matter is urgent and it will include business-specific information, such as the fact that the executive is traveling overseas or attending an important event in another country, so as to appear credible and dupe the recipient into acting on what seems to be a business-critical request. Business email compromise can also involve impersonating, or spoofing, the email account of a trusted partner, such as a vendor or contractor.

For businesses and the financial institutions that serve them, business email compromise is a growing cyber risk. Companies with publicly available information about their business transactions and processes can become attractive targets to hackers who use such information in their schemes.

“A business email compromise can threaten the survival of a business,” said Ken Morrison, a Travelers Risk Control cybersecurity professional, who recently demonstrated how a business email attack works. The most important factor in determining whether a company recovers funds is how quickly the fraud is discovered, Morrison said. Sometimes it’s possible to stop payment before money mules withdraw funds for these cyber thieves. Insurance coverage for social engineering fraud can also help protect companies from this type of scam.

“It’s not just the funds stolen in a fraudulent wire transfer or other transaction that can be a loss to a business – it’s the potential for a data breach as a result of the compromise,” Morrison said, adding that there could be expensive regulatory implications and reporting requirements for the business, as well as potential damage to a company’s brand and reputation.

Business email compromises target vulnerable business practices

“Understanding how business email compromise schemes work can help companies reduce their susceptibility to business email fraud,” Morrison said. Companies can also report business email compromise attempts to IC3.gov, the Internet Crime Complaint Center, so authorities can recognize trends and target the growing number of cyber thieves.

Companies can help protect their operations against the threat of compromised emails. For example, avoid sharing information about business processes online, which can be used in a scam. Scammers conduct reconnaissance on targets, often through social media, to develop spear-phishing schemes and create credible demands for payment, often by impersonating a critical player in a business.

In a business email compromise, a hacker could gain access to an employee’s email account through a spear-phishing attempt, in which the employee clicks on a link in an email that appears to be legitimate. Once the employee clicks on the link, their business email account is compromised. The hacker then poses as that employee and requests an urgent wire transfer. However, if the company has strict authorization and authentication protocols in place, such as an automatic prompt that requires the employee to make a phone call to verify changed wire transfer instructions, scams like these can be thwarted before causing actual damage.

Ways to prevent business email compromise

To mitigate risks and make themselves less attractive targets, companies can assess their business processes and establish email security best practices and protocols. Steps might include creating a cybersecurity awareness and training program that includes instructions on how to recognize social engineering-based attacks like phishing and other business email targeted scams. Because business email compromise trends and techniques evolve, it’s important to regularly update your training programs and have employees participate in refresher classes.

Implement other cybersecurity enhancements such as:

• Multifactor authentication for cloud-based email and remote access.
• Dual authorization policies for financial transactions.
• Social media policies and best practices that include the latest security protocols.

Protection pre-breach, post-breach and always

Cyber insurance can also help protect your company from cyber thieves – pre-breach, post-breach and always – especially when it includes services like training and assessments of your company’s technology risks. Cyber insurance from Travelers can also cover forensic investigations, litigation expenses associated with a data breach, regulatory defense expenses/fines, crisis management expenses, business interruption losses, cyber extortion and more.

In addition to coverage, Travelers provides pre-breach and post-breach risk management services for policyholders at no additional cost. These include access to pre-breach services provided by HCL Technologies, a global leader in cybersecurity solutions, and access to Travelers’ eRisk Hub^®,* an information portal of risk management tools powered by NetDiligence^®.

Learn more about cyber risk insurance or talk to an agent to discuss how cyber insurance can help protect your business.

* eRisk Hub is a registered trademark of NetDiligence.