What You Need to Know about Business Email Compromise

What You Need to Know about Business Email Compromise

Written by: USB Security, Union Savings Bank

In any given year, 60 percent of small businesses fall victim to cyber attack. These attacks range in size from small hacks to large-scale assaults that can do enough harm to force small businesses to close their doors for good. While there are plenty of antivirus tools out there, many instances of small business cyber fraud begin by targeting a member of the organization, rendering even the most robust tools useless. This is especially evident in cases of business email compromise. As we kick off Cyber Security Awareness Month this October, we will be shining some light on issues affecting small businesses and how to best protect your organization.

What is business email compromise?

Picture your business’ network as a fortress. A mote around the castle keeps invaders at bay and guards at each entrance monitor who comes in and out. In years past, hackers would use methods to try to sneak into the fortress undetected or break down its walls with debilitating malware.

More recently, hackers have learned that rather than breaking down the walls or hiding in the shadows, simply knocking on the front door under the guise of someone recognizable can do the trick. Your proverbial fortress lets down its guard and hackers stroll right in. Of course, you would never knowingly give hackers access to your small business network. So how are they getting in?

Business email compromise is a cyber fraud tactic hackers use to gain access to your network under the cover of a known name, such as an organization’s CEO or the small business owner. They often turn to social media to learn information about the individual they are impersonating, such as their email address and when they will be away from the office. Using this information hackers will contact someone else within the organization behaving like the individual they are impersonating, even using a similar or hacked email address, looking for sensitive information.

What does business email compromise look like?

If you have been following along so far thinking, “I’d never fall for that,” consider how one of your employees might react if they received an email like this from you.

From: jane.ceo@compny.com

To: john.employee@company.com

Subject: URGENT: Send file ASAP!

Hi John,

I’m in meetings all day and don’t have access to my laptop. I need you to generate a direct link to the customer database and text it to the number below. It’s extremely urgent, I need it for my presentation. You must text me in the next 5 minutes, I need to turn off my phone before my next meeting.



Using a combination of authority and urgency, hackers use fear tactics and play into their targets’ sense of duty to their company to get what they want. In many real examples of business email compromise, hackers have used emotional pleas to steal information, including threatening the recipient’s job if they don’t comply or promising promotions as a thank you for their help.

While similar maneuvers may be used over channels like texting, there is an added layer of trust that is associated with a business email address, especially when it’s tied to an authority figure within the organization. But there still may be clues to help you and your employees detect possible fraud.

How can business email compromise be detected?

Take a closer look at the email example above. Do you notice anything suspicious? If you compare the sender’s and recipient’s email addresses, you’ll see that they use the same structure, but the domain is slightly different. In the sender’s address, the “a” in company is missing.

To an employee reacting quickly to a request from their CEO, this is an easily missed detail, but one that could save the company thousands of dollars, if not more. Not all fraudsters use this method, however – some manage to gain access to the actual email account.

In addition to the discrepancy in the email addresses, there are a few other details in this email that might raise red flags. Fraudsters using business email compromise will often use a sense of urgency to get what they need. This gives the recipient little time to consider the request at hand or to notice anything unusual.

Pay close attention to how the sender wants the information. Does texting an unencrypted link to a database that contains sensitive customer information seem unusual? Every organization is different, but in most cases, this kind of operation requires a secure channel and should not be conducted over a private device.

Further investigation into this email may also reveal that the cell phone number listed is not actually associated with the CEO at all. While it is understandable that not every employee would have their CEO’s personal cell phone number, reaching out to someone within the organization who would have this information could help the recipient detect the fraud.

In several infamous cases of business email compromise, emails were sent to various members of large organizations demanding that recipients wire sums of money to an unknown number in order to complete a business transaction. As in the example above, these messages came from high-profile people within the organizations and carried strong senses of urgency. In some of these cases, there were even layers of approvals to enable the requests to go through unchallenged.

What should you do if you suspect business email compromise?

If you or your employees suspect any cyber fraud activity, the first step is to report it to a member of your IT or security team. They may even take the matter to the authorities. Several large-scale cases of business email compromise have been escalated to the federal level and in some of these cases, stolen funds have been returned.

Be careful not to open any links or attachments that come through with a suspicious email, and do not respond to the message unless instructed to do so by security or the authorities. In some cases, you may be asked to reach out to the individual the fraudster is impersonating – in this case, Jane the CEO – via another known channel such as a personal cell phone number or email address. However, it is possible that these channels have been compromised, too, so before you take this step, make sure you have already alerted security and remain observant.

Talking to your employees about business email compromise.

Go back to the email example above and put yourself in your employees’ shoes. Would you feel intimidated or pressured if you received an email like this from a superior?

Talk to your employees about what business email compromise might look like and what initial steps to take to prevent harm to the company. Ensuring that your employees are informed and properly trained could save your business from cyber fraud.

For more business management tips, visit our Business Blog.

Advangelists Pixel