Phishing has come a long way from the days when it most often involved cybercriminals urging people to provide personal details in exchange for lottery winnings or other incentives.
Those attacks still occur, but they’ve gotten more advanced. It’s now common for phishing attacks to include company logos, fonts or other characteristics that make recipients think they’re legitimate communications from someone in authority.
A specific type of phishing, business email compromise (BEC), which has been on a steady rise since the FBI started tracking it in 2003. BEC has occurred in every U.S. state and more than 100 countries, the FBI reports.
How Does a BEC Scam Work?
BEC typically targets company executives via emails from domains appearing very similar to the authentic one used by the enterprise. Sometimes there are minor differences that can be easy to overlook, such as swapping a lowercase letter L for the number 1, for example, so it’s easy to understand how people get tricked.
Some fraudsters manipulate the “From:” field, too. Many email programs only show the name of a known sender in that area and keep the email hidden. In that case, the recipient might see the name of their boss and never have a reason to check more closely and reveal the email to ensure it matches.
Those who fall for the scam click on messages that seem to come from people at their workplaces. The message asks for personal or company-related details, which they provide, believing the message is legitimate.
Knowing this, you likely wonder if you could get fired for being the victim of such a scam.
BECs Cause Numerous Business Disruptions
Most people communicate through email consistently through their workdays, and the nearly instantaneous nature of this form of communication means it doesn’t take long for a phishing attempt to wreak havoc on a business. If a person trusts the sender and believes they’re a colleague, they could relinquish sensitive information in a matter of minutes.
Proofpoint, a company specializing in employee-related cybersecurity matters, performed a survey in 2018 to gain a clearer understanding of how email fraud affects businesses. It polled people from the United States, the United Kingdom, Australia and a few European countries. The results showed more than half of the respondents experienced business disruptions from such attacks.
The disruptions ranged from data loss and the associated recovery costs to operational shutdowns. Additionally, in 1 of 4 cases, a person got fired due to the incident—showing there is reason to worry that falling victim to a phishing attack could cause termination.
Cybercriminals Often Insist on Urgency
The Proofpoint survey showed that in most cases, company representatives considered finance team representatives most at risk of being targeted for these attacks. That makes sense, since they authorize expenditures and handle the majority of other money matters.
Law enforcement professionals who specialize in investigating BEC cases mention that people should be especially careful when receiving emails that have the words “urgent,” “payment” or “request.” Also, these kinds of cybercriminals usually perform in-depth research before engaging with their victims so the emails seem as realistic as possible.
Sometimes, they’ll even research the travel schedules of the company leaders they pose as, telling recipients that they need money wired to them quickly to secure a contract with a new supplier before boarding an international flight, for example.
A Victim Discloses the Issue and Gets Fired
You may hope that if you ever find yourself in a mess due to a BEC scam, being honest about getting scammed would mean you’re in the clear. However, when that situation happened at a Pennsylvania payroll company, the victim lost their job.
Pennsylvania—and several other U.S. states—permits “at will” employment. That means an employer can fire workers for any legal reason, unless they have contracts stating otherwise. In other words, you couldn’t get fired for something unchangeable like your gender or race but may find yourself without a job after making a mistake—such as believing a phishing email.
In the payroll company case, the impersonator requested copies of all 2015 W-2 forms of its clients’ employees, which the recipient complied. The cybercriminal ultimately used the information to target the company’s clients in several states.
Although the establishment did not confirm the number of people affected, an estimate pegged the number at tens of thousands of people.
This Kind of Phishing Can Cost Millions
In another incident, two top-level executives of the Dutch branch of a European movie company were terminated after a court ruled the two didn’t spot or properly react to a phishing scam. This example also illustrates how tremendous the associated losses may be: more than €19 million, in this case.
There also was an attack involving a CEO at an Austrian aerospace parts company that resulted in a €50 million loss. The company’s board, which made the termination decision, didn’t provide specifics of the executive’s involvement but mentioned a severe violation of duties.
Double-Checking as a Protective Measure
The people who investigate BEC incidents repeatedly bring up how one of the easiest things people can do to avoid the potential job loss and other catastrophes following this kind of phishing scam is to immediately contact the person claiming to request the information instead of simply sending it over. Of course, you shouldn’t do that by responding to the email.
Pick up the phone and contact the person who supposedly sent the email. Don’t disclose any information before you get confirmation.
It may feel strange to do that if the person demands prompt action, but being extra careful could be a job saver.