We’ve long known that we need to keep our emails private, a hide access behind a strong, solid password. But at the same time, you might think, “So what if someone sees my emails? None of it is secret or even sensitive.”
Hackers engaged in Business Email Compromise (BEC) aren’t interested in your everyday emails. They’re looking for sensitive information or documents, or for ways to scam you or your customers in the future.
Misconceptions
The dangers of email hacking go way beyond somebody eavesdropping on your plans with friends or family, or a news article or joke you’ve shared with a friend.
Misconception #1: An email hacker will grab my emails and leave. No, they won’t. For the hacker, the money is in logging in and staying in for a period of time.
Misconception #2: I’ll know if a hacker gets in. Nope. BEC hackers are silent, and will very quietly stay in your email system for long periods of time, even months or years, watching emails come and go. They won’t delete emails or make their presence known. Instead, they’ll wait for very specific circumstances before they make their move.
Misconception #3: I don’t have any important financial or personal information in my emails. Have you ever emailed documents to a tax preparer, a mortgage company, or any other entity that deals with money? These documents are very likely sitting in your Sent folder.
Misconception #4: My sensitive information is safe because it’s not in my email. Not true. Email is the gateway to so many services, from password resets to cloud storage.
Misconception #5: A hacker would have to compromise my computer to get my emails, and I have virus protection, VPN, etc. to protect me. Hacking your emails doesn’t mean they get into your computer itself–they just log into your email accounts from wherever they are, and they can see everything from your Inbox to Junk, Spam, and Sent emails.
What’s really happening
BEC hackers look for ways to exploit your existing emails and contacts to extract money or access from you. Here are the types of activities a hacker is likely to try, once they have access to your email account:
Password resets for access to other services. Having access to your email means a hacker can hit the “Forgot Password” button for any of your services–your bank, utilities, online accounting or budgeting, really any online service–and when you get an email link to reset the password, the hacker can go ahead and click it.
Theft of personal, sensitive, or financial data. Hackers look for W2s and other tax documents in your Inbox or Sent folders. They might also use your email login to access cloud storage services like Google Drive and Dropbox to find more financial documents, or even your cryptocurrency passwords.
Falsified invoices. If a vendor or other service provider is compromised, the hacker can send false invoices that look like the real thing, but with payment information that pays the hacker, not the vendor.
Falsified invoices are the sneakiest of the types. While a hacker might try and use your financial information for fraud, that takes time, and there can be numerous red flags along the way. False invoices, by contrast, strike very quickly, and by the time you notice the money went to the wrong place, it may be long gone.
Case Study: BEC leads to $160K theft
Pat and Marisa Lawlor learned about BEC the hard way in 2022 when they went to buy a home in California. The paperwork was in motion, and the closing date was set.
The Lawlors had set aside a $160,000 down payment, so when they received an email from their escrow company about the deposit, they wired the money straightaway using the instructions in the email. Then they were surprised to hear from the escrow company a week later, asking for the deposit.
The initial email turned out to be fraudulent, with the wire instructions sending the $160K deposit to a fraudster. The email looked legitimate, with no discernible red flags.
The escrow company’s emails had been compromised, making it possible for a scammer to send an email that looked perfectly convincing to a customer.
Protect yourself from BEC hacks and scams
So, what can you do? There are a few ways you can protect yourself from BEC hacks and scams.
Protect your email account with a strong password. If you’re still using a password from 2008, it’s time to update it to a long password with lots of random characters.
Change your email password often. If a hacker is in your emails, they’ll get kicked out until they put in the new password.
Delete sensitive documents from Inbox and Sent. Right after you send or receive a sensitive document, delete the email, and make sure it’s deleted from your Deleted folder.
Get verbal confirmation for large payments. If you get an email with vendor payment info, particularly wire transfer details, call the vendor and confirm the details before making the payment.
