A single form of email scam caused businesses to lose hundreds of millions of dollars over the course of the past 14 months.

It would not be much of an exaggeration to say that email is the lifeblood of the modern business. Employees in every industry now depend more heavily on email than any other communication channel – including the phone. Email is a key tool for maximizing productivity, efficiency and flexibility throughout the organization.

But that’s not all. Email also represents a serious economic threat to businesses – unless it’s combined with high-quality security and employee best practices.

A recent report from the Internet Crime Complaint Center (IC3) – a joint partnership between the Federal Bureau of Investigation and the National White Collar Crime Center – revealed that a single email scam caused businesses to lose hundreds of millions of dollars over the course of the past 14 months. This report highlights the potential economic danger of poor email cybersecurity, as well as the need for broader employee security awareness training to combat these threats.

An effective scam

The IC3 report focused on the business email compromise (BEC) scam. Also known as the man-in-the-email scam, BEC targets companies that work with foreign suppliers or regularly perform wire transfer payments. According to the IC3, there are three main versions of the BEC scam:

  1. Cybercriminals compromise a c-suite executive’s email account, then use this account to ask another employee for a wire transfer. The cybercriminal then instructs the financial institution to redirect those funds to his or her own account.
  2. The cybercriminal mimics a supplier and asks, via email, for the business to wire funds for an invoice payment to a fraudulent account.
  3. The cybercriminal infiltrates an employee’s personal email, then uses this account’s address book to ask multiple clients for invoice payments.

“Victims suffered losses totaling just shy of $215 million.”

In the past 14 months, the IC3 has fielded reports of BEC scams from 45 countries, as well as every stated within the U.S. The IC3 identified nearly 1,200 U.S. victims and more than 900 victims from outside the U.S. Altogether, these victims suffered losses totaling just shy of $215 million, all as a result of BEC email scams.

According to the FBI, it is all but certain that the number of victims and total costs associated with BEC scams will continue to grow in the coming months.

Defensive measures

As the IC3 report made clear, the BEC scam is effective for a number of reasons. The cybercriminals using this strategy combine hacking efforts with imitation to create a very convincing ruse. When automated cybersecurity measures fail, the only remaining defense is employee awareness and skepticism.

The IC3 offered a number of recommendations to help businesses protect themselves from this threat. In many cases, these boiled down to adding extra levels of protection – such as two-step verification – and encouraging employee alertness.

The problem with additional cybersecurity layers is that this causes inconvenience, and as Harvard Business Review recently reported, many firms are unwilling to tolerate such impediments. Regardless, businesses can greatly improve their protection from this and related email scams by investing in employee information security awareness training. With training, personnel can learn how to identify suspicious messages, and what to do in such a scenario. Savvy employees can save a business countless dollars by resisting these attacks.