Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article; it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.
So yeah, business email compromise (BEC) scams are a big deal. The con artists behind this criminal enterprise will cold-email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.
It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.
Always Question Urgency
When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: While such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.
"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.
Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: Just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"
You should be particularly skeptical if the person sending the email asks you to keep something quiet.
"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."
So this is the first step: Take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).
Always Confirm Through a Second Channel
Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.
"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."
This is a crucial point: Any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.
"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.
Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.
"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.
Check the Email Address
Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from the company domain.
"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to defraud, all in the hopes of appearing legitimate.
It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Look-alike domains are very common: Someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.
Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.
Go Through the Proper Protocols
Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.
“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘Purchase this from your personal account’ is a process that just wouldn't happen.”
A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.
Leaders: Keep Communication Open
I have one last piece of advice, and it's for leaders inside companies: Don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.
“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.
Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.
“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”