Skip To Main Content
Focused businessman working at laptop in cafe

How to protect your businesses from the latest email scams

Business email compromise has surpassed ransomware as top cyber threat, report says

Focused businessman working at laptop in cafeHackers find ways into employee inboxes—when they are working remotely, for example—compromising their credentials and combing accounts for confidential information (Getty Images/Milton Brown)

From stealing confidential business information to impersonating our bosses or colleagues, our workplace inboxes are bearing the brunt of cyberattacks, according to statistics. 

A recent report from finance and insurance corporation AIG found that business email compromise (BEC) surpassed ransomware as the No. 1 cyber threat in 2018, accounting for almost a quarter (23 per cent) of its insurance claims—up from 11 per cent in 2017.

And incidents are making headlines. In July, Canada saw its biggest data breach to date, when credit card company Capital One Financial was hacked, compromising the personal data—including one million social insurance numbers—of approximately six million Canadians and 100 million American credit cardholders in total. 

“Technical IT security defenses are so advanced that a back-to-basics approach was needed, and BEC is refreshingly non-technical,” says Claudiu Popa, principal risk adviser at Informatica. “If you can’t exploit the IT firewall, then deceive the human one.”

Keeping up is a challenge, Popa adds, as cybercriminal networks increase in prevalence and complexity, while the players themselves strive for success and opportunity. 

“Hackers increasingly feel the pressure of having to compete with others and prove their mettle against diverse teams around the world,” he says. “While ultimately it’s about the money, the way to get there is pure business, competition [and] supply and demand.”

So how can businesses protect themselves from this growing threat? “That’s where it’s getting very complicated, figuring out that web,” says cybersecurity expert Imran Ahmad. “Often by the time you’ve run your investigation, the damage has already been done.”

To minimize potential cyberattacks, Popa and Ahmad offer tips on what organizations can do to fight back. 


Hackers find ways into employee inboxes—when they are working remotely, for example—compromising their credentials (usernames and passwords) and combing accounts for confidential information, says Ahmad. “They will use search terms in an inbox like credit card, invoice, etc….They will steal that data and do bad things with it.”

That’s why employee buy-in is key, Popa adds, particularly when one bad move could mean the “difference between staying in business or going bankrupt because of the financial losses or brand damage following a data breach.” He recommends developing “cyber-situational awareness.” Beyond having detection and monitoring systems and expertise in place, ongoing cyber-safety education keeps staff on guard.

“Employees are the human firewall, they are the front lines of defence,” he says. “They need to be continuously vigilant, aware and empowered to make important decisions.”


Passwords alone aren’t enough, and are relatively easy to crack or bypass, Ahmad says. Once hackers find their way into a mailbox, they can send spam emails to entire contact lists—impersonating the CEO, finance or IT department, for example—and encourage recipients to click on a link or file that gives them access to other credentials and inboxes. From there, they could create fake accounts, pose and communicate as individuals in the organization, and request wired funds or changes to accounts. 

Using two-factor authentication, or 2FA, provides an extra layer of security, requiring employees to include a username, password and token i.d. when accessing their mailboxes, particularly while working offsite. “That is an easy low-hanging fruit solution,” Ahmad says. “It reduces 99.9 per cent of the issues that are dealt with there.”

Be on guard, though. Phishing attacks are increasingly used to access 2FA codes, tricking the user into handing them over by email, via a smartphone, or by intercepting SMS messages. To curb this, there is Universal 2nd Factor (U2F), which completes the login process by inserting a USB device. Earlier this month, Google, which has used USB security keys since 2017, introduced its first Titan Security Keys in addition to its USB-A/NFC and Bluetooth/NFC/USB offerings.


Hackers can also compromise  an email’s auto-forward feature, forwarding emails received in that inbox to an external account and directly into the cyber criminal’s hands.

“What they [hackers] are really trying to do is become the man in the middle … to figure out who your trusted partners or vendors are, then get into that conversation so they can direct you to change banking details, commit wire fraud, etc.,” explains Ahmad.  “There are a variety of things they can do at that point: steal information, sell it on the dark net.”

To combat this, Ahmad recommends deactivating the auto-forward feature, only allowing employees access with a formal request to the IT department. “Even if the hacker got in, there would be a restriction for them to be able to do it, so at least the data isn’t leaving that way,” he adds. 


Organizations have policies and procedures in place, but lack follow-up to ensure they are adhered to, Ahmad says. Cyber criminals can use this vulnerability to their advantage, he adds. 

Ahmad recommends going beyond policies and input controls. For example, two signatories are needed to approve a transaction, but can that be overwritten? What is in place to ensure policies are being followed? 

“If you have the right controls, you can limit a lot of these issues,” he says.

Ahmad also recommends going back to analog—i.e., speak to the individual directly—when it comes to requests to change account information, or to divert or access funds. “If the person has no idea what you are talking about, you know this is a fraudulent request, potentially,” he says. 

Popa also suggests organizations keep abreast of government standards and legislation, and aligning business practices around them. Look to Canada’s Cyber Safe Guide for small and medium-sized business for guidance, he adds. 

“[This will] ensure they have all their bases covered and are not myopic about their approach to security protection.”


Keep up on the latest cyberthreats, bolster your cybersecurity policy, and uncover best practices for protecting personal data and intellectual property with CPA Canada’s Cybersecurity management for the public sector webinar or the Cybersecurity frameworks certificate.