BUSINESS EMAIL COMPROMISE
WHEN SCAMMERS GO PHISHING, THEY HOPE TO REEL IN YOU AND YOUR BUSINESS DATA
There’s an old expression: “fishing for information.” It means that a person is trying to pry information from you indirectly. Instead of coming straight out and asking a question, they talk around the topic, hoping to extract from you what it is they actually want to know.
In today’s world, that old saying has been updated and modified.
Now, cybercrooks go phishing for information from individuals and businesses. The scammers don’t come right out and say, “Can you give me your email address and password so I can steal thousands of dollars from you?” Instead, they also take the indirect approach…through phishing.
They use all sort of trickery—well-disguised lies and deceit—to extract valuable information from businesses and their employees. Their bag of tricks includes emails, texts and fake websites that seem to be legitimate to lure you in. Once you’re hooked, they can reel in all types of company secrets and steal boatloads of dollars.
AVOIDING THE HOOK.
That’s why it’s more important than ever to do what you can to prevent it and be aware of the full story on phishing:
The cost to businesses in fraud losses
Why employees make good victims
The signs of a phishing attempt
What happens when victims are hooked
How to thwart phishing attempts
PHISHING IS PROFITABLE FOR CROOKS.
Cybercrime cost individuals and businesses more than $4 billion in losses in 2020, according to an FBI report. The tricks scammers use on citizens are easily adapted for businesses of all sizes, with phishing attacks leading the list of scams reported to the FBI.
Make no mistake, as long as you’re in business, you or your employees could be the target of a phishing attempt. The prime targets are the ones who have the most decision-making authority, but employees make great targets too, and the cybercrooks know this. Here’s why:
Employees often wear many hats and are constantly under pressure to multitask—this makes it easy for them to be distracted or less attentive than usual
They may also fall into a routine and be somewhat complacent, which makes them susceptible to a phishing attempt
If there are a few hundred employees in your company, one employee may not be familiar with who is on your executive team and could be easily fooled by an email from someone posing as a high-level authority, which is known as business email compromise, or BEC
HOW PHISHING WORKS.
Phishing emails (and sometimes texts) are designed to trick you into believing that the message is from a trustworthy source, such as a person or company you know. Here are some of the possibilities:
The email or texts may seem to come from a familiar source
The scammer might impersonate a vendor that is sending an invoice
The message could appear to come from an important client
It could look as if a coworker has sent a message
Scammers also send phishing messages that imitate messages from banks, credit cards or other organizations that an employee might recognize
No matter who these con artists are or their skill level, they will still generally take the same approach:
They will send an email that at a quick glance seems to be simply another of the many daily (sometimes hundreds!) that you our your very busy employees get
The message will come from a fictitious person at the same company or from a fake or impersonated person from a different company
The message will direct the reader to take some type of quick action—urgency is always a factor because the scammer knows he will get only once chance and must make the best of it
You may also get emails from organizations you may have heard of but never dealt with, e.g., a nonprofit children’s program or a business offering office supplies at a discount. These messages could be worthwhile, but they also could be scams.
WHEN VICTIMS GET HOOKED BY A PHISHING ATTACK.
If the recipient isn’t careful, isn’t paying attention or is rushed, they might respond to the email (believing the sender and the request are legitimate) and take the action requested by the scammer:
Wiring money to scammers
Downloading fake invoices and forwarding them, with approval for payment
Providing passwords to networks or to the company intranet
Divulging sensitive company information such as employee names, phone numbers, email addresses or account numbers
Clicking on email links that infect computers and company networks with malware, perhaps even ransomware
SPREAD THE MESSAGE: “NO PHISHING.”
No matter the size of the company, it is vitally important for businessowners and management teams to fully understand and be aware of phishing attempts and to have some type of cyber-readiness plan in place to help thwart them and prevent losses:
Carefully examine EVERY email you receive, assuming you’ll get phishing emails and texts routinely
Look at the return address of an email and verify that it is (and not simply looks) legitimate
NEVER click on an attachment without ensuring the sender is 100% legitimate—most malware is launched by employees clicking on dangerous links
If a request seems odd or out of the ordinary—even if it seems to be from someone you know—call the person or department directly to verify the request
Do not reply to an email unless you are certain it is safe to do so
Do not call any numbers listed in the email message or visit listed websites
See if the website address has the “secure” symbol and begins with “https”—scammers often won’t bother to secure their fake websites
Do an internet search of the organization by typing in the name and adding the word “scam” after it
You can also do a search using the exact wording of the email message itself or the subject line of the email—many times that helps uncover a phishing attempt or other scam
For more information on protecting your business from business fraud and other dangers, visit the Banc of California Business Insights page on the Banc of California website. It provides valuable information from business experts on a variety of topics, including cybersecurity.