Key Takeaways
- BEC is the leading cause of payments fraud, which affected more than 80% of companies last year.
- Fraudsters may use malware to infiltrate a company’s email system and access key information that will lend legitimacy to their scam.
- A combination of technology and education is your best bet to keep from becoming a victim of BEC and to keep cyber criminals at bay.
Fraudsters are using increasingly sophisticated strategies to scam companies via email. Here's how you can protect against this dangerous—and pervasive—threat.
At first glance, the email from a company in the venture capital firm’s portfolio looked routine: The firm, a Silicon Valley Bank client, received a new set of wire instructions from the portfolio company for new funding installments. But as a result of attentive employees and internal fraud training at the venture capital firm, the email was identified as a scam. "Let's not sugarcoat it: it was very scary," says one of the firm’s executives.
The fast action by well-trained employees helped this firm avert one of the most common cybersecurity threats faced by companies today: business email compromise, or BEC. These schemes leverage the weaknesses of email to gain access to sensitive information and, often, to misappropriate funds. It's one of many growing cybersecurity threats that routinely cost businesses of all sizes millions of dollars.
In 2019, BEC accounted for nearly half of the $3.5 billion in reported cybercrime losses. And roughly 80% of the fraud losses reported by Silicon Valley Bank clients in 2019 was due to BEC attacks. Nationally, BEC losses likely will rise as fraud attempts increase: In 2019, 60% of companies were victims of cyberattacks, up from 45% the previous year, according to a report from Hiscox, a global specialist insurer.1
"Small businesses may not have the scale or expertise to focus on protecting themselves from bad actors, and losses can be significant enough to bankrupt an organization or destroy their reputation with investors and creditors," says Rob Zerby, Deputy Bank Secrecy Act Officer for Silicon Valley Bank. "Unfortunately, many people think their organization won't be a victim—until it is."
How BEC works
BEC is the leading cause of payments fraud, which affected more than 80% of companies last year.2 The reason it's such a common method of attack? "It's easy to conduct and the potential yields are high," says Zerby.
BEC fraud is based on a relatively simple premise: An email designed to look like it comes from a legitimate source—say, a firm’s executive, a key client or a creditor—is sent to an employee on a company’s payment team. The email often asks for an urgent payment to be made, or requests money be sent to a different bank account. The execution of these attacks can be highly sophisticated, however. Fraudsters may use malware to infiltrate a company’s email system and access key information that will lend legitimacy to their scam. For instance, they may wait to send their email during a billing cycle peak when payment teams are busy, or during an executive’s overseas trip to make it more difficult to verify the email with that executive. “Fraud is a confidence game,” says Zerby. “When someone has knowledge of your operations, they can ‘talk the talk,’ so to speak, to avoid raising red flags.”
These emails also typically ask the recipient for discretion, in hopes that the employee will avoid publicizing the request. The more scrutiny these emails receive, the more likely they’ll be identified as fraud attempts. Earlier this year, a Silicon Valley Bank client identified an attempted BEC scheme largely because someone asked for a second opinion. An employee who had recently joined the firm received a payment request claiming to be from a consultant. The company—a growing technology startup—often worked with consultants, so the email didn’t initially seem suspicious. However, the new employee was still getting familiar with the firm’s roster of consultants and discussed the email with the CEO, who correctly suspected fraud.
"I felt used and stupid not to notice," says the employee, who cancelled the wire request immediately. Later, the employee realized the mistakes they’d made: For starters, they hadn’t fully opened the email, relying only on the email program’s preview panel to read the message. A closer look at the email address also revealed signs that it was a scam, the employee admits. The employee didn’t divulge details, but the FBI suggests carefully reviewing emails for tell-tale signs such as misspelled names, slightly altered email addresses or suspicious-looking URLs.
How to fight back
Careful scrutiny is one of several key strategies for identifying BEC attempts before they are successful. Indeed, a layered approach that also involves employee training, clear processes and specialized technology tools can help companies minimize these threats.
Technology is an important first line of defense against BEC and other cybersecurity threats. Zerby says companies don’t necessarily need technology designed specifically for BEC. Tools such as web filters, anti-malware programs and endpoint detection response can help identify phishing attacks and alert companies when malicious attachments or URLs are opened. Meanwhile, simple digital security measures can help. For instance, a company’s email program can be set up to flag emails where the reply-to address is different than the email used by the sender—a potential indicator of fraud. Two-factor authentication on email accounts and other key programs should be used whenever possible to reduce the chance of intrusion by hackers. “The technology tools which are most important are the same ones that are important for other reasons, namely information security,” says Zerby.
Beyond technology tools, companies can minimize the threat of BEC by rethinking their internal procedures. For instance, companies may mandate that all new payment requests, changes to payment terms and high-dollar payments need to be approved or verified by multiple people. That can be as simple as following up on an email request with a phone call to a number already on file—even if a new one is provided in the email. Or the process of authorizing a larger payment may require two executives to sign off on the change rather than just one. The key, says Zerby, is to involve more people in the process in hopes of rooting out suspicious activity. “Create an environment in which employees feel comfortable speaking up if something doesn’t look right,” he adds.
Human error is a key reason why BEC fraud attempts succeed. That’s why many companies devote resources to training their personnel in identifying fraudulent emails and other digital communications. Last year, a Silicon Valley Bank client launched a creative training initiative: The firm’s IT team created suspicious emails with malicious links designed to steal personal information. The email was sent to every employee and the team tracked who clicked on the link—and who took the next step and entered personal data. Roughly 60% correctly flagged the mail as fraud. Employees were privately informed of their results and underwent additional cybersecurity training. Four months later, the test was repeated. This time, 86% of employees identified the fraud. “Beyond data security, employee training is the most important thing you can do,” says Zerby.
Lean on partners
A combination of technology and education is your best bet to keep from becoming a victim of BEC and to keep cyber criminals at bay. Even with the best tech tools, a team of well-educated employees and the careful deployment of well-thought-out procedures, BEC attacks and other cybersecurity intrusions can still occur. That’s why Silicon Valley Bank refers clients to Vouch, an insurance provider that offers cybersecurity policies. "Particularly with the current economic turmoil and teams hastily moving to remote work, we're seeing a rise in these attacks," says Travis Hedge, CEO of Vouch. Cybersecurity coverage is the final layer of protection when the worst-case scenario becomes a reality. (Learn more about Vouch’s range of business policies.)
Trusted partners also can be an invaluable asset as companies build a coordinated cybersecurity defense. For example, Silicon Valley Bank frequently works with its clients on fraud prevention issues, providing education on how cyberthreats are evolving and what solutions are available to help businesses better protect themselves. The Fraud Prevention section of SVB.com offers a deep well of articles and other resources to assist clients in their fight against cyber intrusion. Clients also can take advantage of specialized offerings such as business insurance from Vouch that includes cybersecurity coverage in case hackers and fraudsters breach the company’s defenses.
In a perfect world, those sorts of breaches and intrusions would never succeed. But as cybercrime techniques continue to evolve, it would be wise to follow Zerby's advice: "Never assume you're safe, and don't let anyone else assume it either."
1 Hiscox, “Hiscox Cyber Readiness Report,” 2019.
2 Association for Financial Professionals, “2020 Payments Fraud and Control Survey.”