Despite predictions of email’s demise, this decades-old communication method remains a vital tool in business—and unfortunately, in hacking. Emails that appear legitimate but are actually malicious are still one of the most effective tricks in a cybercriminal’s arsenal.
While some scam emails are obvious due to poor spelling or strange email addresses, it’s getting harder to spot the fakes. Hackers are becoming increasingly sophisticated, making it challenging to distinguish between a malicious email and a genuine one.
Take business email compromise (BEC) as an example. This type of email scam targets organisations of all sizes, aiming to steal money, sensitive information, or both. Hackers often impersonate someone familiar to the victim, like a colleague, boss, or business partner, to trick them into giving up crucial information.
The risk to businesses, especially startups, is significant—and these attacks are only increasing.
How to Spot a Business Email Compromise Scam
Look Out for Warning Signs
Despite hackers’ advanced tactics, there are simple red flags you can watch for. These include emails sent outside of typical business hours, misspelt names, mismatched email addresses, unusual links or attachments, and an unwarranted sense of urgency.
Check with Your IT Department
Tech support scams are increasingly common. Scammers often send text messages with links to fake login pages that mimic legitimate sites. Many people fall victim to these tricks and unknowingly provide their credentials. It’s crucial to remember that your IT department will rarely, if ever, contact you via SMS. Always verify unexpected messages or notifications by reaching out directly to your IT team through official channels.
Contact the Sender Directly
Hackers often use spear phishing to impersonate high-level executives or outside vendors. If an email seems unusual, or even if it doesn’t, contact the sender directly to confirm the request, instead of replying via the email or phone number provided.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) adds an extra layer of security beyond passwords. While not foolproof, it makes it harder for cybercriminals to access your accounts. Consider implementing passwordless technology, like hardware security keys and passkeys, to prevent password and session token theft.
Implement Stricter Payment Processes
Many cyberattacks aim to steal money. BEC scams often involve manipulating an employee into sending a wire transfer. To reduce this risk, develop strict payment protocols such as requiring second confirmations for money transfers, and having your financial team double-check any changes in bank account details.
Be Wary of Phone Calls
Though email is a popular tool for cybercriminals, fraudulent phone calls are also on the rise. Hackers use these calls to deceive and gain access to sensitive information. Always approach unexpected calls with caution, even if the caller appears to be legitimate, and never share confidential information over the phone.
Ignore Suspicious Requests
Minimising the risk of BEC scams can often be as simple as ignoring suspicious requests. For example, if you receive an email asking for sensitive information or unusual financial transactions, it’s best to be cautious. Many scams involve requests for wire transfers that appear to come from trusted sources. Unexpected calls asking for confidential information should also be treated with scepticism. Always report any suspicious attempts to your IT department to help protect your colleagues and your company.
Your startup can significantly reduce the risk of falling victim to email scams if you stay vigilant and adopt these protective measures. It’s critical to build a culture of cybersecurity awareness within your team to ensure everyone is equipped to recognise and respond to potential threats. Moreover, it’s worth noting that the best defence against cybercriminals is a well-informed and cautious workforce. Stay alert, stay informed, and keep your business safe from email scams.