A: Ransomware concerns us all. Yet, “business email compromise” (BEC) attacks represent a bigger, less publicized threat to small firms.
You’re right about the headlines. Ransomware attacks on schools, hospitals, utilities, and governmental agencies generate a stream of scary stories. Those headlines may motivate us to pay extra attention to our file backups, antivirus protection, and other cyber defenses. That is all good.
But where is the real danger coming from? Let’s compare losses—measured in actual dollar amounts—that resulted from BEC versus ransomware in the last three years:
BEC: $1,867 million
Ransomware: $29 million
BEC: $2,396 million
Ransomware: $49 million
BEC: $2,742 million
Ransomware: $34 million
These statistics (from the Federal Bureau of Investigation Internet Crime Support 2022) show that BEC losses are roughly 50 times higher than ransomware losses. Clearly, ransomware damages are tiny in comparison to BEC, a growing profit center for cybercriminals.
How Does Business Email Compromise Work?
BEC works by deceiving you, someone in your office, or your client into believing that a counterfeit email is an actual business email. The counterfeit email can trick the recipient into sending a wire transfer, making a purchase, paying an invoice—the number of subterfuges keeps growing.
The email counterfeiting methods used by thieves range from basic to highly sophisticated:
- Sending an email from an email address with a subtle misspelling, such as substituting the number 1 or an uppercase “i” for the lowercase version of the letter “L.”
- Tricking people into revealing their email address and mailbox password and then taking over their email account, using it to send emails from the real account.
- Penetrating a local network through classic phishing techniques so that the intruder can take over email accounts.
- Using social engineering pretext stories on the phone to finagle access to a user’s email account.
- Bribing an employee of a mobile phone company to gain access to an executive’s phone, then using it to send fraudulent emails from the real account.
While the losses to BEC are in the billions, don’t think that only big companies are targets. The median loss last year was about $50,000. While that amount won’t necessarily put you out of business, it is big enough to hurt a lot. The feeling of being seriously ripped off is not one that tends to disappear even years later.
Sadly, antimalware services and security awareness training have not stemmed the rise of BEC. These are porous defenses. A subgenre of cybersecurity services has appeared to protect your firm’s email accounts. Examples include:
- Ironscales: $6 to $8.33 per mailbox per month, minimums may apply.
- Avanan: for enterprises and managed service providers, prices starting at $4.30 to $7.20 per user per month, minimum user count may apply.
- CrimeBlocker: $5 per month or less per machine for small businesses and professionals, no minimum user count. (Disclosure: CrimeBlocker is a product of SecureMyFirm, of which I am CEO.)
Some services require an involved setup process, establishing connections through an email gateway. Minimum mailbox counts can also be an obstacle to small firms. Be sure to ask a lot of questions when evaluating various services.