A person in the appropriate clothes lowers our defenses, so we think we understand who they are and their intentions. This is what’s happening with Business Email Compromise – targeted emails trick employees into trusting cybercriminals.
Working our sense of trust
A partner and I bought a retail business in Central Massachusetts several years ago. Our bid was accepted over that of a nephew of the person selling the business. But the relative did not go quietly. He was a volunteer firefighter. Within a week of us taking over the space, we were visited by a firefighter in a firefighting suit who said that because the business had changed hands he needed to inspect the location for safety violations. He walked around and pointed out problems with extension cords, wiring, circuits, fixtures and junction boxes and left us with a notice saying that if we did not have his substantial violations corrected within 30-days the doors would be padlocked. We panicked.
The firefighter’s uniform, a sign of trust, was exploited to intimidate us. This mirrors what happens with Business Email Compromise (BEC). Like the firefighter used a symbol of trust to gain access, BEC attackers use trusted email communication to infiltrate your organization and steal funds.
Stealth makes the difference
According to Bryley partner Barracuda’s research 10.6% of social engineering attacks are classified as BEC. But BEC’s impact is disproportionately high. This is because BEC attacks operate with a kind of stealth and precision that sets them apart. Unlike widespread phishing scams that cast a broad net, BEC attackers research their targets, patiently waiting for the moment to strike.
These attackers invest time in learning a company’s internal structure, communication style and financial processes. They often get control of management-level email accounts to make their requests appear to come directly from a trusted authority figure. Their emails intend to exploit employees’ desire to please their bosses or avoid negative consequences. Demands for urgent action, like ‘I need this information now,’ or ‘this payment has to go out today’, turn a sense of urgency against the employee.
BEC attacks are calculated to be very hard to detect. They’re meant to blend seamlessly into everyday communication, making them almost indistinguishable from legitimate requests. By the time the actual theft is discovered, the funds have already been transferred, the sensitive data has been stolen.
In its most recent report (2023), the FBI shows how devastating BEC attacks are among cybercrimes, nearly topping the list in financial losses.
Why small- to medium-sized businesses are especially susceptible
The cost of a successful BEC attack can be devastating for small- to medium-sized businesses (SMBs). SMBs usually lack the security resources of larger corporations, making them more vulnerable. Limited cybersecurity budgets, fewer personnel dedicated to security, a lack of comprehensive training and fewer layers of defense against social engineering create vulnerabilities that BEC attackers exploit.
Business Email Compromise can mean:
- Lost money Attackers trick your employees into sending them money through fake invoices or urgent payment requests that seem to come from you or a usual vendor. This can drain your bank account.
- Client backlash If customers find out you were scammed and their information was stolen (names, credit cards, etc.), they can stop trusting you and go to a competitor. Now word travels faster than ever, making it harder to get new clients.
- Unable to fill customer orders Dealing with the fallout from a BEC attack takes time – figuring out what happened, trying to get back lost information and fixing your security so it doesn’t happen again. This takes you and your employees away from doing actual work, costing you time and money.
What to do before it’s too late
- AI email protection Use an email system that integrates machine learning so that it understands the internal and outward-facing activities of your organization, and treats emails that conform or deviate appropriately. (For example, it can catch and flag bank routing number changes for human review.)
- Employee training Equip your team to know the signs of BEC attacks. Training should emphasize the importance of verifying requests and questioning anything unusual. Simulate realistic scenarios so people get accustomed to suspicious signs and used to the idea of questioning.
- Set clear policies Create documented procedures for wire transfers, invoice approvals and sensitive data requests. For instance, these kinds of changes need a second set of eyes on them to make sure the changes are legitimate.
- Multi-factor authentication Secure all critical accounts with multi-factor authentication, which gives an added layer a criminal would have to surmount.
The 10.6% bottom line
10.6% might seem small, but it represents the single most expensive cybercrime facing small- to medium-sized businesses. Don’t let a BEC attack empty your accounts. AI-based email protections, employee training, good policies and multi-factor authentication go a long way in preserving a business from these threats.
Bryley is here to advise you – since 1987 Bryley has helped organizations best deal with cyber-threats like BEC. To speak to Roy Pacitto about defending against Business Email Compromise, please complete the form (below) or schedule a 15-minute, no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.
Lawrence writes about networking and security. He’s written for Bryley since 2015.
©2025 Bryley Systems Inc, 200 Union St, Clinton, MA • 978•562•6077 • itexperts@bryley.com • Subscribe to Up Times newsletter
