TECHNOLOGY
BUSINESS EMAIL COMPROMISE Ben Lake
ben@openroad.network
$38,000
How would you like lose that much money in the blink of an eye? Yeah, me neither. But that almost happened to a local business through a sneaky scam called “business email compromise” (BEC).
T
he financial manager for this company received a brief email from the company owner requesting that she pay for some recent legal services he used in accordance with an attached invoice ($38k), and to let him know when the wire transfer was complete. This particular business is in an industry where it’s not uncommon to wire large amounts of money on a regular basis, so the request wasn’t that out of the ordinary. The financial manager visited the bank later that day and submitted the wire instructions. Upon returning to her car, she viewed the email again to reply back and—simply because her phone app presents emails in a slightly different way to her computer—noticed that the sender of the original message was not the owner’s email address! A quick call to the owner confirmed her worst fears: he never sent any such message. Frantic, she rushed back into the bank and they were thankfully able to cancel the transfer. This type of fraud—business email compromise—is unfortunately becoming more common and can really ruin
your day. The scammer either uses a phony email address disguised as the legitimate user (“Mr. Boss Man” <nottherealaddress@gmail.com>) or, in more serious cases, has actually obtained access to the boss’s email account and is sending the scam from his/her legitimate mailbox.
The best method is going to be user education. Make sure anyone in your company with access to financial accounts is aware of this scam. If they have any doubts about a financial request they should absolutely verify in person or over the phone (and NOT by email).
In the case above, the scammer was using a phony address and thankfully did not have access to the company’s email system. I reviewed the email and the attached invoice, and it was scary how real it looked. None of the grammar was wrong (a red-flag that the sender isn’t a native English speaker), and the invoice with wire instructions would have fooled me, too. Afterwards, we called the number on the invoice and discovered it was not in service. That fact, and the phony address, were the only indicators of fraud.
You might even consider a secret word or phrase the boss can use to claim legitimacy.
There is little that can be done to defend against this type of scam, but there are measures to help.
So, learn from the (almost) costly mistakes of others: educate yourself, your employees, and leverage technology best practices to limit the chance of being scammed by business email compromise.
Use unique passwords and multi-factor authentication when available, but even this won’t prevent spoofed email from getting through.
Apply a warning label to all incoming emails generated from outside your organization. Your IT support company can assist in configuring this feature. In theory, a recipient of a spoofed email from the boss would see the warning label and recognize this as a red flag. In practice, the warning label is seen by users so frequently that they may fail to recognize it when it really matters.
BEN LAKE Ben is the owner of Open Road Network Services, a Georgetown-based business providing honest, reliable, and affordable technology support to individuals and small businesses. He is particularly passionate about educating and empowering his clients to become more comfortable with technology. 512-942-7623 • www.openroad.network
18 WILCO BUSINESS REVIEW | 2021 • ISSUE 3
