Business E-mail Compromise (BEC) Scams: An Underappreciated Cyberthreat

Antwan Banks - March 28, 2023

Everyone at some point receives an e-mail that seems fishy, and perhaps prompts them to show it to someone else, wondering, “Do you think this is legitimate?”

There are good reasons people are asking that.

We’re talking about the e-mail that appears to be from a vendor your company regularly deals with, asking for an updated mailing address and or banking account information – or the e-mail that appears to be from DocuSign but doesn’t tell you what it’s all about, and is asking for your signature. These and many other emails like them fall under the category of Business E-mail Compromise (BEC).

It doesn’t get much attention compared to some of the other threats people are discussing. But it should.

The Wall Street Journal recently reported that BEC scams accounted for $2.7 billion in losses in 2022, which was up from $2.4 billion in 2021. This is part of a larger trend that saw total losses from online scams reach $10.3 billion in 2022, which was a whopping jump from $6.9 billion in 2021.

And if it seems to you like it’s happening more frequently, you’re not imagining it. The total number of BEC attacks increased by 81 percent in 2022 alone. And we’re not talking small dollars here. Some BEC attacks cost organizations millions of dollars. All because someone trusted an e-mail.

This does not need to happen to any organization, and it’s important for the trucking industry to take steps to protect itself against these scams.

Here are four basic steps that any organization can do right away, and should do right away, to protect themselves from these scams:

  1. Train your employees to apply extra scrutiny to any e-mail associated with payments, especially if they sound urgent or appear to have been sent by an executive or vendor. One thing to check is whether the sending e-mail appears to match the purported sender. But even if it does, that doesn’t mean employees should trust the e-mail or do what it’s asking.
  2. Institute a policy by which all money transfer and invoice changes are confirmed by multiple parties in person or over the phone. Don’t let anyone act on payment requests or invoices just because an e-mail asks them to.
  3. Tag all e-mails originating outside your organization as “external.” That will help get the attention of employees when a hacker is trying to fool them by appearing to be their boss or another colleague.
  4. Implement a privileged access management (PAM) solution. This limits people’s access to things like accounts, applications, systems and devices to only what they absolutely need to do their jobs, and makes it less likely that someone can act on a whim to financially compromise the company.

For all the justified attention being given to ransomware attacks and system break-ins, there are always hackers looking to make you and your team members do their jobs for them – by tricking people with a deceptive e-mail. If they can get you to click the link, enter the information, confirm the data or – of course – send the payment, it becomes that much easier for them to scam you.

And it’s working to the tune of nearly $3 billion a year drained out of the coffers of U.S. businesses.

Let’s not let the trucking industry fall prey to these scams. Take these fundamental steps right away and contact me via antwan.banks@nmfta.org if I can be of assistance to you.

Antwan Banks
Antwan Banks

Antwan Banks is an accomplished cybersecurity professional with extensive experience in various high-profile roles. He currently serving as the director of enterprise security for the NMFTA where he plays a pivotal role in educating the trucking and supply chain industry about the myriad of intricate security risks associated with enterprise networks. Prior to NMFTA, Antwan served as the director of cybersecurity at the Metropolitan Atlanta Rapid Transit Authority (MARTA), where he managed cybersecurity operations and built the Information Security Office to safeguard various systems and networks. Antwan's expertise also extends to his military service as a United States Army Lieutenant Colonel, where he oversaw IT and computer security projects in Germany and the Middle East and served as a military advisor to the Saudi Arabian military Chief Information Officer.