Blog & Tools

Seven tips to help protect your business from email scams

Email Scam Warning from the FBI

Scammers trying to cheat businesses by email can be accommodating. They like wire payments, but some will accept checks.

“The fraudsters will use the method most commonly associated with their victim’s normal business practices,” according to a warning from the FBI.

Business email scams were among the subjects covered briefly by law enforcement and technology experts at a recent presentation for business representatives in the Sioux Falls area. Sponsors of the free event, which was hosted by the Better Business Bureau, included SDN Communications.

SDN serves business and institutional clients, which makes the practice of fraudulent emails directed at companies a threat worth additional exploration.

The FBI tracks such scams in a category called Business Email Compromise. In the 18 months immediately after January 2015 BEC scams cost more than 21,100 domestic and international victims approximately $3.1 billion. More than 14,000 of the victims were from the United States.

Email fraud often targets companies with foreign suppliers or businesses that use wire transfers. Victims have ranged from small businesses to large corporations.

Scams typically are carried out by compromising legitimate email accounts through social engineering or network intrusion.

Based on complaints to the online Internet Crime Complaint Center, or IC3, scams primarily are carried out in five ways:

  1. Fraudulent requests for information are sent to offices such as human resources using the compromised account of an executive.
  2. A business is asked by phone, fax or email to send an invoice payment to an alternative address.
  3. A top executive’s email account is spoofed (imitated) or hacked, and a request for wire payment is sent to another executive.
  4. An employee’s personal email is hacked and used for fraudulent communications and information requests.
  5. Fraudsters represent themselves in phone calls or email communications as lawyers or other legal representatives who are working on a time-sensitive matter and need information.

Businesses that deploy robust internal protection techniques at all levels, and especially with front-line employees, have been highly successful in recognizing and deflecting BEC, according to an FBI statement.

The FBI has published a series of suggestions to help businesses protect themselves from BEC scams. I’ve summarized seven of them:

  1. Avoid free, web-based email accounts. Establish a company domain name and use it for business emails.
  2. Be careful about posting information on social media and company websites.
  3. Be suspicious of requests for secrecy or pressure to act quickly.
  4. Consider additional IT and financial security procedures, including a two-step verification process. Verify online transactions with a phone call or some other means of communication, for example. Also, require a digital signature on both sides of a financial transaction.
  5. Delete spam. Report and delete unsolicited email from unknown parties.
  6. Do not use the “reply” option to respond to business email. Instead, use the “forward” option. But check and type in the intended recipient’s address yourself.
  7. Consider two-step authentication – a password and dynamic PIN code, for example - for corporate email accounts.

Some businesses don’t like to acknowledge that they’ve been scammed. They fear it might hurt their reputation. However, companies that have been victimized are encouraged to file complaints with the IC3.

The IC3 is an FBI site that accepts complaints about Internet crime from victims and third parties. Filed information is analyzed and disseminated for law enforcement and public awareness, according to the FBI.

Anyone who believes they’ve been the victim of an Internet crime may file a report. People also may file if they believe another person has been a victim. Information such as the victim’s name and contact information is required.

Companies such as SDN can help companies improve their cybersecurity protections on the front end.