Be(a)ware of Cybersecurity Risk: Business Email Compromise

October is National Cybersecurity Awareness Month. M3 will be posting a series of articles throughout the month with today’s hot topics in cyber exposures, culminating in the release of an exclusive video conversation with information that can help you proactively protect your business from cyber attack.

The Criminal’s Mask of Deception

Business Email Compromise (BEC) is defined as an email from what appears to be a known source making a legitimate request for money or goods. These incidents come in a variety of forms – fraudulent invoices, requests for information, credential harvesting, and directed purchases. One common instance around the holidays appears to come from an executive needing assistance with holiday shopping. The email may request that the recipient do the executive a favor and purchase thousands of dollars’ worth of Amazon gift cards and provide the numbers and information of those cards. Other times, an email request will come through asking for a change in payment instructions. This may seem like it is a legitimate request, but verifying these instructions is more important and necessary than ever. Businesses lose many thousands or millions of dollars to these crimes annually.

It is easy to think these criminals are lone actors, but they are often well-staffed criminal organizations that target executives. Linguists, lawyers, hackers, and customer service are all part of the equation to dupe you and your employees. The criminals spend time scouring through social media and studying emails to determine the timbre and format of communication. These efforts are coordinated and targeted.

Remove the mask of business email compromise deception with best practices:

1. Utilize email security systems that monitor suspicious behavior. This is an easy way to filter out spam emails that may have a BEC component attached. There may also be tools to double check the links when they are clicked on, or block emails where the domain has been spoofed.

2. Limit your social media presence. Don’t post when you are vacationing or out of the office – this is often when scams are perpetrated. Keep the amount of information online as limited as possible.

3. Keep your employees educated. We often hear from employees caught in these schemes that something “felt off.” Understanding the difference between requests that are appropriate and requests that would never be made are imperative for administrative assistants and accounting departments.

4. Use two factor authentication! This is a critical update to your IT posture for the most common exposures we see – this prevents credentials alone providing access to critical systems like email. Encourage a phone call after email requests for payments to verify if instructions have changed, or if a request truly is legitimate.

Business Email Compromise may have hidden behind the mask in your cybersecurity exposures for too long. With the right tools respond and awareness of the risks, a Halloween mask can be the scariest mask you see this October. Rely upon your M3 Account Executive to understand your business and potential exposures.


Emily Selck is director of cyber liability at M3 Insurance. 

Have Questions? Ask Us:

Sign-up for M3 Blog email updates

Please select all topics of interest that apply: