Cyber Focus: The Man-in-the-Email, or Business Email Compromise 

By Sarah Dimock 

Thank goodness for the internet. The COVID-19 pandemic is like nothing we’ve seen in recent history, but there is one major difference between us and our medieval ancestors: internet access. Even though the best thing we can do right now is to practice safe social distancing and stay at home, thanks to the internet we don’t have to be alone.  

It’s a time of video chats and online games. You may even have reconnected with friends you haven’t spoken to in a long time. The internet is allowing many of us to continue working from home at a time when that many more jobs would’ve been compromised without it. 

But beyond the threat of the coronavirus, this is also a dangerous time for internet users. Malicious black hats are attempting to take advantage of all the extra users online. Capitol wants everybody out there to stay safe and, in that spirit, let’s talk about a type of attack currently on the rise: business email compromise.  

What the BEC is business email compromise? Well if you’ve ever received an email from a Nigerian Prince asking you for money, you’ve got some idea. Business email compromise, or BEC, is a type of phishing scam where a hacker infiltrates a business to send you email correspondence. While you can clearly tell that a Prince from Nigeria is not to be trusted, it’s much harder to identify the man-in-the-email when it looks like it comes from a business you know. You may be getting an email from a business that you trust sent by “the owner” of that business asking you to please help them out with some money during these trying times. It could even be from the business you work for. 

You should NEVER send money or personal/confidential information to anyone that you are unable to verify is who they say they are.  

BEC scammers are usually the type to do their homework on a business before initiating an attack. According to the Digital Guardian, “An attacker will sift through publicly available information about your company from your website, press releases, and even social media posts. He/she might look for the names and official titles of company executives, your corporate hierarchy, and even travel plans from email auto-replies.” 

“The attacker will then try to gain access to an executive's e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the executive will not be alerted.” 

These scammers may send you an invoice for a service that was similar to one that you previously obtained. It might be from “a lawyer,” a powerful CFO, or even your boss. No matter how convincing the email looks or how it pressures you to send them money or personal/confidential information immediately, practice due diligence.  

Ask yourself: would your boss already know or have access to that information? Would the CFO or executive normally come directly to you for that information? Does the email look exactly like the one you are used to seeing or does it have an extra number or symbol on the end? 

BEC attackers can be especially convincing, and with so many of us working through email correspondence, let’s be aware that they’re out there and do our best to avoid these scams. 

To learn more about business email compromise and what businesses can do to protect themselves and their employees from BEC attacks, we hope you might consider tuning in to our webinar series CapTech Talks. On April 21st Dr. Nikki Robinson, cybersecurity and vulnerability management expert, will be giving a talk about business email compromise. Our talks are totally free and we’ll be providing attendees with actionable items to protect themselves from BEC attacks. Click here to learn more and sign up to attend!