BUSINESS EMAIL COMPROMISE
When scammers go phishing, they hope to reel in you and your business data
There’s an old expression: “fishing for information.” It means that a person is trying to pry information from you indirectly. Instead of coming straight out and asking a question, they talk around the topic, hoping to extract from you what it is they actually want to know.
In today’s world, that old saying has been updated and modified.
Now, cybercrooks go phishing for information from individuals and businesses. The scammers don’t come right out and say, “Can you give me your email address and password so I can steal thousands of dollars from you?” Instead, they also take the indirect approach…through phishing.
They use all sort of trickery—well-disguised lies and deceit—to extract valuable information from businesses and their employees. Their bag of tricks includes emails, texts and fake websites that seem to be legitimate to lure you in. Once you’re hooked, they can reel in all types of company secrets and steal boatloads of dollars.
Avoiding the hook.
That’s why it’s more important than ever to do what you can to prevent it and be aware of the full story on phishing:
- The cost to businesses in fraud losses
- Why employees make good victims
- The signs of a phishing attempt
- What happens when victims are hooked
- How to thwart phishing attempts
Phishing is profitable for crooks.
Cybercrime cost individuals and businesses more than $4 billion in losses in 2020, according to an FBI report. The tricks scammers use on citizens are easily adapted for businesses of all sizes, with phishing attacks leading the list of scams reported to the FBI.
Make no mistake, as long as you’re in business, you or your employees could be the target of a phishing attempt. The prime targets are the ones who have the most decision-making authority, but employees make great targets too, and the cybercrooks know this. Here’s why:
- Employees often wear many hats and are constantly under pressure to multitask—this makes it easy for them to be distracted or less attentive than usual
- They may also fall into a routine and be somewhat complacent, which makes them susceptible to a phishing attempt
- If there are a few hundred employees in your company, one employee may not be familiar with who is on your executive team and could be easily fooled by an email from someone posing as a high-level authority, which is known as business email compromise, or BEC
How phishing works.
Phishing emails (and sometimes texts) are designed to trick you into believing that the message is from a trustworthy source, such as a person or company you know. Here are some of the possibilities:
- The email or texts may seem to come from a familiar source
- The scammer might impersonate a vendor that is sending an invoice
- The message could appear to come from an important client
- It could look as if a coworker has sent a message
- Scammers also send phishing messages that imitate messages from banks, credit cards or other organizations that an employee might recognize
No matter who these con artists are or their skill level, they will still generally take the same approach:
- They will send an email that at a quick glance seems to be simply another of the many daily (sometimes hundreds!) that you our your very busy employees get
- The message will come from a fictitious person at the same company or from a fake or impersonated person from a different company
- The message will direct the reader to take some type of quick action—urgency is always a factor because the scammer knows he will get only once chance and must make the best of it
You may also get emails from organizations you may have heard of but never dealt with, e.g., a nonprofit children’s program or a business offering office supplies at a discount. These messages could be worthwhile, but they also could be scams.
When victims get hooked by a phishing attack.
If the recipient isn’t careful, isn’t paying attention or is rushed, they might respond to the email (believing the sender and the request are legitimate) and take the action requested by the scammer:
- Wiring money to scammers
- Downloading fake invoices and forwarding them, with approval for payment
- Providing passwords to networks or to the company intranet
- Divulging sensitive company information such as employee names, phone numbers, email addresses or account numbers
- Clicking on email links that infect computers and company networks with malware, perhaps even ransomware
Spread the message: “no phishing.”
No matter the size of the company, it is vitally important for businessowners and management teams to fully understand and be aware of phishing attempts and to have some type of cyber-readiness plan in place to help thwart them and prevent losses:
- Carefully examine EVERY email you receive, assuming you’ll get phishing emails and texts routinely
- Look at the return address of an email and verify that it is (and not simply looks) legitimate
- NEVER click on an attachment without ensuring the sender is 100% legitimate—most malware is launched by employees clicking on dangerous links
- If a request seems odd or out of the ordinary—even if it seems to be from someone you know—call the person or department directly to verify the request
- Do not reply to an email unless you are certain it is safe to do so
- Do not call any numbers listed in the email message or visit listed websites
- See if the website address has the “secure” symbol and begins with “https”—scammers often won’t bother to secure their fake websites
- Do an internet search of the organization by typing in the name and adding the word “scam” after it
- You can also do a search using the exact wording of the email message itself or the subject line of the email—many times that helps uncover a phishing attempt or other scam
For more information on protecting your business from business fraud and other dangers, visit the Banc of California Business Insights page on the Banc of California website. It provides valuable information from business experts on a variety of topics, including cybersecurity.
CONNECT WITH A RELATIONSHIP MANAGER
who specializes in your industry by completing the form
HOW TO GUARD AGAINST PAYMENT FRAUD
Payment Fraud is difficult to detect, but there are measures you can take to help prevent it. Here, you can learn what they are, and what to do about them.