3 Ways to stop business email compromise

July 01, 2020
Blog-Img-Security-Generic_iStock-1016968886

The Federal Bureau of Investigation (FBI) reported that in 2019, business email compromise (BEC) scams accounted for $1.7 billion or half the total cybercrime losses for that year.

The FBI also received 23,775 BEC scam complaints — an average of $75,000 per complaint. In comparison, the average loss per complaint was $500 for phishing attacks and $4,400 for ransomware. That’s why the FBI’s Internet Crime Report considered BEC scams “the most damaging and effective type of cybercrime in 2019.”

What is a business email compromise scam?

Formerly called man-in-the-email attack, a BEC scam targets companies that work with foreign organizations and regularly wire transfer payments. BEC attackers typically compromise or spoof email accounts of high-level executives to trick employees of the same company or business partners to wire money to a bank account they control.

A popular example of a BEC scam victim is Mattel, the US-based toy maker behind Barbie and Hot Wheels. After receiving an email from a person claiming to be the newly installed CEO Christopher Sinclair, Mattel’s high-ranking finance executive approved a $3 million cash transfer to a “new vendor in China.” By the time the company realized that the email didn’t really come from Sinclair and reported the incident to their US bank and law enforcement, the money was gone.

How can you prevent business email compromise attacks?

BEC scams are very common because they don’t require complex coding skills or malware — just deception. But there are many ways you can protect your company against these.

#1 Invest in robust email security technologies
Many BEC scams pass through the basic spam filters because they don’t typically include malicious links or attachments. But there are advanced email security solutions like Graphus that can effectively detect and block them.

Graphus does so by leveraging artificial intelligence and machine learning. It analyzes your employees’ email behavior (e.g., who they work with, how often they communicate, etc.) to create trusted profiles. Using these trusted profiles for comparison, it scans for irregularities in message content and attachments as well as suspicious behavior to spot attacks. With every user interaction and feedback, Graphus becomes smarter and more effective in protecting your company from even the latest and most sophisticated cyberattacks.

#2 Add more controls to internal processes
Review your existing company procedures and policies. Whenever there’s a request that involves money — from changing payment details to inquiries about vendor relationships to payment follow-ups — make sure you have at least a two-step verification process. For example, after receiving an email request, always verify it by using a different method, like calling the person who made the request.

Lastly, limit those in your company who can conduct money transfers or have access to vendor information.

#3 Educate your employees
While fortifying your IT defenses and exercising greater control over your internal processes will greatly improve your company’s cybersecurity posture, those efforts will be for naught if your employees lack awareness. That’s why it’s important to conduct regular cybersecurity awareness training for your staff. These sessions should teach them about the different scams that exist, how they transpire, what to look out for, and what they should do. This will help them recognize and defend against potential BEC scams.

Learn how to make your cybersecurity framework more human-centric.

Your company doesn’t have to become another BEC victim. Use your company email with confidence knowing that Graphus is protecting it from the most sophisticated cyberattacks and social engineering scams. Enjoy your FREE 14-day Graphus trial here!

Stay safe from even the most sophisticated cyberattacks and social engineering scams


Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.

Get a Demo of Graphus