Business Email Scams in the Year of the Pandemic
In 2020, the COVID-19 pandemic impacted not only businesses but also the cybercriminals who stole from them. Find out how business closings, working from home, and other pandemic-induced trends affected business email compromise (BEC) scams.
Suppose you are a contestant on the game show “Jeopardy!” and you are one question away from winning it all. Your clue is “In 2020, businesses lost the most money from this type of cybercrime.”
If you responded “What is ransomware?” or “What is a data breach?” you would be going home with only a consolation prize. Companies lost the most money from business email compromise (BEC) scams, according to the US Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center (IC3).
2020 BEC Scams by the Numbers
In BEC attacks, cybercriminals pose as company executives, supplier reps, lawyers, and other business professionals to con organizations into sending them wire transfers and sensitive data (e.g., bank account numbers, gift card numbers). Despite the pandemonium from the coronavirus pandemic , BEC scammers stole an unprecedented $1.9 billion from their victims, according to IC3’s “2020 Internet Crime Report“.
This all-time high is continuing a troubling trend. As the graph below shows, the losses from BEC scams keep increasing year over year.
While the losses grew, the number of reported BEC scams fell 18.5%, according to the IC3 report. A total of 19,369 businesses became victims in 2020 compared to 23,775 the previous year. Although having such a large drop in numbers is unusual, it is not surprising given the Coronavirus Disease 2019 (COVID-19) pandemic. The pandemic forced many businesses to temporarily or permanently shut their doors. Fewer companies meant fewer targets for BEC scammers.
However, some BEC scammers took advantage of developments that emerged due to the pandemic, as the following example shows.
BEC Scammers Preyed on Employees Who Worked from Home
When governments started issuing shutdown orders to slow the spread of the coronavirus in 2020, many businesses let their employees work from home. The use of web-based email apps increased as a result, and cybercriminals began taking advantage of this increased usage. They created auto-forwarding rules on remote employees’ web-based email apps to conduct reconnaissance and to conceal their nefarious activities, according to the FBI.
Here is how it worked: After the BEC scammers obtained the credentials (email address and password) for a remote worker’s email account, they created rules in the employee’s web-based app. They used these rules to automatically forward certain emails to external accounts. For example, in one case, the cybercriminals created a rule that automatically forwarded any emails containing the terms “bank”, “payment”, “invoice”, “wire”, or “check” to their external email account so they could learn about the company’s financial systems and processes.
Because the company’s IT administrators were not actively syncing the web-based and desktop email apps, the new auto-forwarding rules appeared only in the web-based app. As a result, the rules went unnoticed by administrators, which gave the cybercriminals the time they needed to conduct reconnaissance.
The Number of BEC Scams Expected to Start Rising Again
The number of BEC scams is expected to start rising again, so it is important for companies to not let their guard down. To prevent your company from becoming the next BEC victim, you should consider taking the following actions:
- Implement measures to protect your company’s email accounts from being compromised, such as setting up two-factor authentication and using a password manager so that employees create strong, unique passwords for their accounts.
- Do not allow the use of legacy email protocols (e.g., POP, IMAP, SMTP), as cybercriminals can use them to sidestep two-factor authentication.
- Block the ability to automatically forward emails to external addresses to prevent cybercriminals from forwarding business emails to their own accounts.
- Make sure your web-based and desktop email apps are updated and running the same version to allow syncing between them.
- Educate employees about BEC scams so they know what to look for.
- Review your company’s website to make sure it does not include information (e.g., email addresses, job descriptions) that scammers could use to carry out a BEC attack.
There are many more actions that your company can take to protect against BEC scams based on your email software and IT infrastructure. For example, if you have a dedicated email server, you can monitor it for new custom rules and configuration changes made to specific accounts. We can evaluate your email system and go over your options.