6 Tips for Defending Against Business Email Cybercriminal Attacks

Learn how to defend your firm from business email cybercriminal attacks, including how to spot and block them. Discover important tips with Mailazy now!

Tuesday, Jun 11, 2024

Worried about becoming a target of business email cybercriminal attacks? This article discusses the danger, identifies common tactics used, and offers tips for enhancing your defenses.

In the digital age, organizations are increasingly exposed to business email cybercriminal attacks. These threats are deceptive schemes in which scammers use bogus emails to trick businesses into revealing sensitive information or making unauthorized financial transactions.

According to FBI Data, business email compromise (BEC) scams alone cost $2.9 million last year, affecting companies from all industries. As a result, enterprises need to implement proactive security measures to strengthen their defenses.

In this article, we’ll learn about business email cybercriminal attacks, their examples, and practical ways to protect your company from these risks.

Understanding Business Email Cybercriminal Attacks

1. Business Email Cybercriminal Attacks Definition

Business email cybercriminal attacks involve criminals sending convincing emails to your staff, deceiving them into clicking on dangerous links or downloading harmful files.

Once the attackers gain access, they can collect important corporate information, limit your system access, demand ransom, or start unauthorized financial transactions.

It’s worth noting that these attacks exploit trust and authority, making them appear credible to their victims. Hence, they are hard to detect or avoid.

2. Stages of a Business Email Cybercriminal Attack

Typically, a business email cybercriminal attack consists of four steps:

  • Identify the target: Criminals gather information about your organization and its personnel from websites and social media. They then make an attack profile, open an email account, and write a fake message.

  • Send email: Scammers target your employees using spear-phishing emails. They persuade or pressure the staff to share sensitive information or transfer money. A tactic that they often use is to send multiple emails to the same employees over several days or weeks.

  • Exchange information: If the second stage works, your employees can’t tell the email is fake and may unintentionally agree with the criminal’s request to share the data or money.

  • Transfer money: If the request is for money and staff responds, the attacker transfers the cash to an external account before the attack is discovered.

3. Examples of Business Email Cybercriminal Attacks

Below are some of the most common types of BEC attacks:

  • Data theft: Scammers target HR departments to steal employee information, such as personal phone numbers and schedules, for identity theft or other BEC scams. For example, in February 2016, attackers impersonated Snapchat’s CEO to acquire social security numbers, tax information, salaries, and healthcare plans from former and current employees.

  • CEO fraud: Criminals impersonate executives through spoofed or hacked email accounts and send urgent cash transfer demands. In June 2014, Keith McMurtry, an employee of Scouler Co., received a fake email from someone impersonating the CEO, asking him to wire $17.2 million for a Chinese company acquisition.

  • Account compromise: Attackers use phishing or malware to access finance staff’s emails and begin fraud activities. For instance, in early 2020, Rubén Rivera, a director of Puerto Rico’s Industrial Development Company, was tricked into transferring a large sum of money due to a fake email from a hacked account.

  • False invoice scheme: Criminals send fake invoices that seem like legitimate ones, redirecting payments to fraudulent accounts. As an example, in June 2021, hackers broke into Treasure Island charity’s email system and manipulated a legitimate invoice, diverting a loan to their account.

  • Lawyer impersonation: This is unauthorized access to a law firm’s email to send fake invoices or payment requests. Between 2013 and 2015, Rimasauskas and associates created a fake company and issued counterfeit invoices to Facebook and Google, using fake lawyers’ letters and contracts to ensure the banks accepted the transactions.

Tips to Stop Business Email Cybercriminal Attacks

Adopt these six recommended practices to prevent BEC attacks:

1. Use strong, unique passwords

  • Make your passwords long: Use at least 16 characters.

  • Make them random: Use a combination of letters, numbers, and special characters. For example, Lvss67*&znUXv%P8y. If you struggle to remember this password, create a memorable passphrase of 4–7 unrelated words. For instance: BananaGrayBeachSkateTwo

  • Make them unique: Remember to use a different password for each account.

  • Consider using a password manager: A password manager tool can help you generate and store passwords securely. Moreover, it can notify you of weak or overused passwords and automatically fill in logins, so you need to remember only 1 strong password for the manager itself.

2. Enable two-factor authentication (2FA)

  • Increase security: Besides your password, utilize 2FA to provide an extra layer of security to your accounts. This method requires a second form of verification, such as a code sent to your mobile phone or a biometric scan. This makes it far more difficult for hackers to gain access, even if they know your password. Therefore, they can’t impersonate you or any of your workers.

  • Verify the identity of the sender: Check the email address, name, and domain. If something seems off, contact the sender directly through another channel, such as a phone call.

  • Scan the attachments and links: Even if you trust the sender, check the attachments and links before opening. You should use antivirus software or third-party tools to detect dangerous code.

  • Use secure file-sharing platforms: Instead of sending files as attachments, use platforms like Google Drive, OneDrive, and Dropbox to encrypt and protect your data. This will prevent cybercriminals from exploiting attachments to hack into your system.

4. Monitor account activity

  • Look for unusual activity: Watch for login attempts from unknown locations or devices, as well as changes to account settings. Perhaps hackers have successfully compromised your account and are planning the following stages of a BEC attack.

  • Review transactions: Check for any unplanned or unauthorized transactions. With large transactions, you should consult with relevant parties, such as the accounting department or the CEO, either in person or over the phone.

5. Regularly update your software

  • Security patches: Update your software, including operating systems and applications. Software updates often include fixes for weaknesses that scammers can exploit. If your business employs a point of sale (POS) system, you may be at risk of data breaches. When a customer uses a credit card, debit card, smartphone, or any other contactless payment method, their payment data is vulnerable unless properly encrypted. Hackers can exploit this to carry out BEC attacks. Therefore, to protect your system, you should work with reputable POS solution providers with token authorization security.

  • Automatic updates: Set your systems to update automatically or check for these updates regularly.

6. Spread awareness about email security

  • Regular training: Teach your employees and stakeholders to spot phishing emails. You can run scamming simulation exercises to assess your staff’s fraud resilience. Additionally, set up clear procedures for employees to report suspicious emails to your security team.

  • Use security tools: Consider tools like Mailazy for enhanced email authentication and protection. These tools support SMTP servers, as well as SPF, DKIM, and DMARC authentication protocols. These techniques serve to prevent email spoofing and reduce the likelihood of illegal access or interceptions.


The article demonstrates how business email cybercriminal attacks harm firms, resulting in financial losses and interruptions. Thus, to defend your companies from these threats, you may need to take a proactive approach. You should focus on implementing security measures such as creating strong passwords, enabling 2FA, monitoring account activity, verifying email links and attachments, regularly updating software, and educating your team about email security practices. By taking these steps, you can protect your operations effectively.