Strangers in your inbox: safeguarding against business email compromise

It’s hard to think of a business that doesn’t depend on email as an essential method of communication. According to Statista, a staggering 281 billion emails were sent globally last year alone. Yet, despite the sheer volume of email, it still comes as a surprise to many to learn that one of the most common methods of communication is not nearly as secure as they think.

Business emails and the sensitive data they transport are notoriously easy to intercept and spy on, making them vulnerable to a specific type of spear phishing attack, known as business email compromise. This is one of the most expensive types of attack an organisation can suffer: In the period between October 2013 and May 2018, global businesses were hit with an estimated 78,000 BEC incidents. These incidents combined resulted in upwards of $12 billion in corporate losses, and many more are understood to remain unreported.

Business email compromise is based on the principles of spear phishing, the fraudulent action of sending emails posing as a trusted sender with the intention of tricking the receiver into handing over information or funds. In the case of business email compromise, malicious parties specifically intend to dupe a company’s employees into wiring funds to accounts which appear to be legitimate but are actually controlled by criminal con artists. To do so, they impersonate someone higher up in the company than the email recipient and request the wire transfer for some made-up but legitimate sounding reason. If the target employee accepts the premise that this communication is coming from a more senior team member with the authority to make this request, then that employee may make this transfer, and the money disappears.

Phishing: Avoiding the growing threat to business data

Email phishing is becoming more sophisticated and targeted. How can firms avoid being caught out?

Business fraud, as a rule, targets much larger sums than consumer fraud, and given the reputational impact of revealing it, the exact amount lost to businesses all over remains unknown.

Business email compromise attacks might rely on other types of intrusion in order to be successful: for example, hackers may get into confidential documents to find the information they need to best impersonate the sender and carry out their scam. Businesses should be aware that cyber criminals’ overarching strategy might rely on several separate malicious deployments, many based themselves on email, including malware that allows access to confidential information and credential-stealing.

All this made possible by the organisation not taking all possible precautions to secure email communications.

Given that business email compromise exploits the good faith employees have that email communications within the organisation are secure, the way to protect against such attacks is to provide them with a clear, instant method of checking whether each email comes indeed from within the business. Digital signatures serve exactly this purpose, adding a visible verification mark to each email confirming the authenticity of the sender. In this way, no outsider can successfully impersonate a member of the organisation.

Phishing attacks can AI help people provide a fix?

AI isn’t quite like having a cyber security expert on your shoulder, but it could be the next best thing, Paul Chapman, co-founder of Cybershield, told us

The evolution of email authentication

The appropriate certificate type to secure public email is called a Secure/Multipurpose Internet Mail Extension (S/MIME) certificate. These certificates offer a logical approach for preventing business email compromise attacks, but the technology has been cumbersome to date and adoption rates worrying low. While it helped encrypt emails and prevented effective modification of emails or their attachments, the process of installation and enablement was too slow and complex for companies to cope with.

Adoption unquestionably has been hindered by the need to install certificates in each email client one by one – a daunting process for any medium-sized business or enterprise. As ideal as the end solution is, on a practical level trundling out to each and every employee device to install an email security certificate hasn’t been a productive use of Network Administrators’ time. Requiring user action, as well, has proved ineffective, as employees may well overlook or ignore the task.

Why email is the weakest security link – and how to fix it

How can companies protect their email domains against phishing attacks and exploitation?

The workload extends further – to certificate maintenance, until now a case-by-case job involving their upgrading and updating and keeping track of the thousands of encryption keys involved in securing an entire enterprise’s communications. Common practice dictated that all these would be hosted locally on individual devices; now, all can be stored together in what is known as a “vault,” eliminating the risk of loss or destruction and allowing access to archived emails from departed employees. The right Certificate Manager will offer key vaulting as a built-in capability, instead of requiring that the company build and manage its own.

Automation, the greatest barrier against business email compromise

Given the myriad emails exchanged today in any modern business, the work of managing each certificate’s entire lifecycle is overwhelmingly technical, complex, and time-draining for any IT team. Even investing in highly specialised, fully dedicated personnel carries the unavoidable risk of human error – and a single oversight can cause enormous losses to the company.

Fortunately, technology can help. Automated deployment, management, and storage of S/MIME digital certificates and keys can finally bring the promise of authenticated, encrypted, and unaltered email communication to business, and in so doing deal a serious blow to Business Email Compromise and other spear phishing email scams.

Written by Tim Callan, Senior Fellow at Sectigo

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at