Despite years of claims that the “death of email” is fast approaching, this decades-old method of communication still thrives in business – especially in the hacking business.
Emails that appear legitimate but contain malicious links are one of the most dangerous yet effective methods used by cybercriminals and have led to some of the biggest hacks in recent years, including the breach of telecommunications giant Twilio in 2022 and the hack of social media platform Reddit last year.
Sometimes these emails are easy to spot thanks to spelling mistakes or unusual email addresses, but as hackers become more sophisticated, it is becoming increasingly difficult to distinguish fraudulent emails from legitimate ones.
For example, Business Email Compromise (BEC) is a type of email-based attack that targets organizations large and small with the goal of stealing money, sensitive information, or both. In this type of scam, hackers impersonate or compromise someone close to the victim, such as a colleague, boss, or business partner, in order to trick them into unwittingly disclosing confidential information.
The risk this poses to businesses, especially startups, cannot be overstated: US individuals lost nearly $3 billion to BEC scams last year alone, according to the latest data from the FBI, and these attacks show no signs of slowing.
How to spot a business email compromise
Watch out for warning signs
Cybercriminals are getting more and more sophisticated in their email sending methods, but there are some simple warning signs to look out for: emails sent outside of normal business hours, misspelled names, mismatched sender and reply-to addresses, unusual links or attachments, and an unnecessary sense of urgency.
Contact the sender directly
Spear phishing (where hackers use personalized phishing emails to impersonate a senior executive within a company or an outside vendor) makes it nearly impossible to determine if the message came from a trusted source. If an email seems out of the ordinary (or looks unusual), contact the sender directly to verify the request rather than replying to the email or any phone number provided in the email.
Check with your IT person
Tech support scams are becoming more and more common. In 2022, Okta customers were targeted by a highly sophisticated scam in which attackers sent employees text messages with links to phishing sites that mimicked the look and feel of their employer's Okta login page. These login pages were so authentic that over 10,000 people submitted their work credentials. IT departments are unlikely to contact you via SMS, so if you suddenly receive random text messages or unexpected pop-up notifications on your device, it's important to check if they're legitimate.
Be (even) more careful with your phone
Cybercriminals have long used email as a weapon of choice. More recently, they have been using scam phone calls to hack into organizations. Last year, hotel chain MGM Resorts was reportedly hacked after a single phone call, with hackers tricking the company's service desk into granting them access to employee accounts. Always be suspicious of unexpected calls, even if they appear to be from legitimate contacts, and never share sensitive information over the phone.
Multi-factor everything!
Multi-factor authentication, which typically requires you to log in with a regulatory username and password in addition to a code, PIN, or fingerprint, is by no means foolproof. But adding an extra layer of security to easily hacked passwords makes it much harder for cybercriminals to access your email accounts. Deploying passwordless technologies such as hardware security keys and passkeys can add another layer of security to prevent information-stealing malware from stealing your passwords and session tokens.
Implementing stricter payment processes
In any type of cyberattack, the criminal's ultimate goal is to get money, and a successful BEC scam often relies on manipulating a single employee into making a wire transfer. Some financially motivated hackers will pose as a vendor and request payment for services they performed for your company. To reduce the risk of falling victim to this type of email scam, implement strict payment processes. Create payment authorization protocols, require employees to confirm transfers through alternative communication methods, and instruct your finance team to double-check any changed bank account details.
You can also ignore
Ultimately, your risk of falling victim to most BEC scams can be minimized by simply ignoring the attempt and moving on. If you're not sure if your boss really wants you to buy $500 worth of gift cards, ignore them. If you get an unexpected call, hang up. But for the sake of your security team and your colleagues, don't stay silent. Report the attempt to your workplace or IT department and be vigilant.