The basic idea is that a hacker spends time studying your business, how it operates and who you do business with. Then, he or she will spoof the identity of a company you have business dealings with, and start sending emails to your employees billing for services that haven’t been rendered in order to fool your employees into paying the fake invoices.
It’s a good scam, precisely because the hackers spend so much time researching how your company operates.
The spoofed emails are compelling, and by all outward appearances, accurately mimic those sent by a company your employees are used to dealing with. On first, or even second glance, there’s nothing at all amiss, and if they’re accustomed to paying invoices to this company, odds are excellent that little to no cross checking will occur.
They get an invoice, it runs through the proper channels, and it gets paid, because your business runs like a well-oiled machine, which is exactly what the hackers are counting on. Of course, as soon as your money hits the hacker’s bank account, it is immediately withdrawn and spread around so that it’s virtually impossible to recover.
Exactly how big of a problem is this?
According to the FBI’s Internet Crime Complaint Center, Business Email Compromise attacks have defrauded businesses of more than three billion dollars since 2013.
While it’s true that big, multinational companies have been the preferred targets of hackers employing this technique, any company is vulnerable to it. Now that the big companies are starting to put their collective guard up, small and medium sized businesses can expect to be on the receiving end of attacks like these next.