Email is great... until it isn't.
One of the harsh realities of doing modern business is the reliance on email. It’s pretty convenient. We can easily send attachments in-line for context. Copying, and blind copying, make getting others in the loop relatively easy. It usually just works the way we need it to, but…(cue Jaws music) bad things happen there. Every. Single. Day.
Business emails are frequent targets of the nefarious. who want into your email because of the inherent profit they can pull from your inbox. As an accountant or bookkeeper, you are in a particularly vulnerable position as you need to protect your business - and the businesses of your clients!
In this blog, we’ll be focusing on one specific type of email attack called Business Email Compromise (BEC), sometimes referred to as Email Account Compromise (EAC). We’ll be referring to them in this blog as BECs for simplicity’s sake.
For three straight years, BECs constituted the costliest cybercrime category at 19,369 complaints filed with the FBI with an adjusted loss of $1.8 billion (with a ‘b’)…just in 2021. Experts agree that nearly 65% of all businesses faced a BEC attack, and one recent study shows that nearly one-fifth of all spurious attempts succeeded. We’re now looking at a “not if, but when” scenario.
How do these BECs work?
For BECs to work, a level of trust between the scammer and the target has to be established. In most cases, the target will receive an email from what looks to be a regular vendor. That will usually come from a “new/updated” email address. This is the most common avenue we see in the accounting and bookkeeping space.
Sometimes this will happen with a spoofed email address. This is when you see things that you expect to come from email@example.com but it comes from firstname.lastname@example.org. One small ‘r’ is missing, but unless you’re really looking at that address, you might miss it.
Once that trust is built, the BEC attack begins. Up to this point, we have been in a “grooming” phase where trust is established. Now that trust is there, the transaction request is presented. The attacker will usually send a wire request OR be as bold to just send an invoice to be paid online. If the victim pays, real financial damage can be inflicted.
Some scammers will use more knavish means like spearphishing (yes, that’s phishing with a ‘p’) or malware to get your financial data. Spearphishing aims to get confidential information that will allow the bad actors to see important company information like bank account numbers, transactions, calendars, etc.
In some cases, these people will intentionally target leaders at the top of an organization; this is called a “whaling attack.” Top execs are the biggest “fish” in the pond, though I have to admit (grabs soapbox) I am bothered by this nomenclature. Whales aren’t fish. They’re aquatic mammals (kicks soapbox aside).
So how do you protect yourself, your employees, and your business from being one of the 60% of those who suffer an attack and go out of business within a year?
Simple. Don’t get attacked by BECs.
First thing’s first. Just don’t get attacked. Easier said than done, right? Like most things, the more you know, the better off you are.
How can you avoid BEC attacks?
The most important way to avoid BEC attacks is to know what to look for.
1. Learn how to detect where email links go before you click on them.
Be keen on email addresses - discerning, perceptive, observant, and razor sharp.
Here is the best way to know where a link in an email would send you if you were to click it. Simply hover over the link. Why? When you do this, look down in the bottom left corner of the screen. You’ll see a preview of the address you’re about to click to. If it doesn’t look familiar or seems at all off-base, don’t click through.
2. Be aware of misspellings in email.
If something in an email is misspelled, consider it a red flag. It’s a little thing, but most reputable companies are going to have protective measures to not look dumb. It’s in they’re best interest (see what I did there???).
3. Implement security procedures.
It’s also important to have good security systems in place. Firewalls, antivirus, antimalware, etc. can all help, but they fall second to good intuition and knowledge on how these unsavory types work.
4. Always use two-factor or multi-factor authentication.
Set up two-factor (or even better, multi-factor) authentication. Sure, it adds to the hurdle that is logging into accounts, but holy-moly is it worth it, and it has become increasingly easy to do with tools like Google Authenticator or Microsoft's Authenticator on your mobile.
5. Be cautious of what you share on social media.
It may seem silly, but be SUPER careful about what you share on social media. Pet names. Schools you attended. Family members. Your birthday. This info could be all someone needs to crack into your email and start messing your life up big time.
6. Contact the company directly.
If you think an email may be legit but have any concerns or see any red flags, call the company directly. If you already have a working relationship with someone at the business that is requesting money, reach out to that person to verify the request. Not only are you protecting your business assets, but you are also furthering that rapport, which we all know is invaluable in business.
7. Train your staff to be on the lookout.
Accountants and bookkeepers deal with super-sensitive information daily. Staying safe in email has to be top-of-mind for everyone in your firm. Train your staff on all of the ways to avoid BEC attacks.
Here is what it all comes down to. If it looks “sus” (which is teenager-speak for suspicious), don’t open it. Don’t click it. Don’t even look at it. Flush it down the digital toilet and move on.
How can you add automatic security to your accounting firm?
Take client email completely out of the equation. First, email is a bad customer experience. Next, the process of email management comes with terrible costs, ranging from the risk of losing money to losing valuable time in your day.
With the right partner, email security can become inherent to who you are and what you do. You know, the way it should be. Together, we can make it harder for these bad actors to get what they want, but it takes us all.