Business Email Compromise


So, if you’re here you want to know more about business email scams and what you can do to protect yourself.

What actually is a business email compromise?

Simply put if your credentials are compromised online whether from entering them into a phishing login page (a page that mimics another site to capture your login details) or if another service you use online is compromised those credentials can be published on what’s commonly known as the ‘dark web’. If this happens ‘bad actors’ can pay for access to your credentials.

With access to these credentials, the attackers can quite easily to do some digging through publicly available records and easily find out where your email is hosted. From here they can proceed to login to the webmail version of that provider, i.e Office 365 or Gmail.

The attack then kicks of with an email from ‘you’ to others in your organisation asking them to pay an amount to an account that you’ve likely never dealt with before. We’ve heard the horror stories of people falling for this because from all appearances it’s legitimately coming from your business email address, i.e and isn’t a phishing scam/impersonation email where the attacker tries to mask the address they are sending from, usually a random domain like or something like that. So even with the best of sleuthing, people can fall for this.

What can you do to protect yourself?

There are a few steps you can take right off the bat to reduce or even eliminate the possibility of your account being compromised this way:

  1. Have an internal verification process - where all fund transfers require a verbal or in-person approval to get them processed.

  2. Have a strong password that is not the same for every service you use! Change it up with a play on words or adding a number in the mix that may change on each service. Consider using a pass phrase.

  3. Enable 2FA (learn more here).
    In short, 2FA means if the attacker logs in on a new device, you will receive a notification or approval request on your mobile phone to approve the sign in or provide a 24/7 rotating code so without that code/approval the attack ends before it starts, and you get a heads up that something’s wrong!

Key takeaway: If an email request seems suss, or you are being asked to transfer funds - always get phone or in person approval!

If you’re not sure about anything in this article and you want to know more - get in touch with us and we’ll sort it out for you.

Dan Kearns