October is Cybersecurity Awareness Month. Read on to lean more about protecting your business from scammers.
October marks Cybersecurity Awareness Month, so we want to remind business owners that financial fraud continues to pose a significant risk. From sophisticated phishing scams to business email compromise (BEC) schemes, criminals are increasingly targeting business enterprises of all sizes. The consequences can be devastating: drained accounts, disrupted operations, and long-lasting reputational damage.
Business Email Compromise (BEC)
Current trends show a rise in social engineering attacks where fraudsters impersonate vendors, customers, internal staff, or banks to manipulate employees into transferring funds or revealing sensitive financial information. Known collectively as Business Email Compromise (BEC), these attack methods often include spoofed email addresses, hijacked legitimate accounts, or the exploitation of weak authentication protocols to gain access to email accounts and manipulate communications. More than 65% of all businesses report being targeted for BEC attacks.
A growing concern in BEC attacks is supply chain fraud, where fraudsters impersonate a trusted vendor and convince a company to change payment instructions. These schemes often bypass traditional security tools because they rely on social engineering rather than malware to perpetrate the scam. The financial and reputational damage can be severe.
Vendor Fraud Gains Momentum
Vendor invoice fraud—often executed through BEC—is surging at an unprecedented rate. In 2024 alone, the FBI’s Internet Crime Complaint Center (IC3) reported $2.8 billion in losses from BEC scams, with vendor impersonation now accounting for 45% of all BEC attacks. These scams are increasingly sophisticated, with attackers exploiting trusted relationships and compromised email accounts to redirect payments that often result in six- or seven-figure losses.
In August 2022, Eagle Mountain City in Utah fell victim to a vendor impersonation scam that cost the municipality $1.13 million. The city was in the midst of a major road-widening construction project and regularly exchanged emails with its vendor. Cybercriminals managed to insert themselves into an existing email thread between city officials and the construction company, impersonating the vendor with a nearly identical email address.
The scammers sent updated payment instructions that appeared legitimate, and a city staff member unknowingly transferred the funds to the fraudsters’ account. The payment was processed before anyone realized the deception, and the funds were quickly withdrawn. This incident underscores how BEC attacks can exploit routine business operations and familiarity to bypass scrutiny. The case is a textbook example of how vendor invoice fraud can occur even in well-managed organizations with attackers leveraging timing, trust, and subtle manipulation to commit the theft. BEC scams can target any organization, so it is critical that employes remain vigilant and that the business institute verification protocols. The checklist below provides some tools and techniques businesses can employ to reduce the risk of BEC scams:
✅ BEC Risk Mitigation Checklist
- Implement multi-factor authentication (MFA)
- Use Positive Pay for all payments
- Initiate “Zero Trust Security,” which follows the principle of “never trust, always verify”
- Implement dual authorization procedures
- Train staff on phishing and impersonation tactics
- Use email filtering and anti-spoofing tools
- Verify changes to payment requests through trusted, secondary channels
- Monitor email logs for unusual activity
- Restrict access to sensitive financial systems
- Regularly update and patch software systems
- Have an incident response plan in place
Always call GRB directly if you need assistance verifying requests that feel unusual. We are happy to help!
Additional resources
To assist business owners, several independent and government resources offer guidance and tools for spotting and preventing financial fraud:
- Federal Trade Commission (FTC) – Business Resources: www.ftc.gov
- U.S. Small Business Administration (SBA) – Cybersecurity Guidance: www.sba.gov
- Better Business Bureau (BBB) – Scam Tracker: www.bbb.org/scamtracker
- Federal Deposit Insurance Corporation (FDIC) – Fraud Prevention for Businesses: www.fdic.gov
- National Cyber Security Alliance – StaySafeOnline for Businesses: staysafeonline.org
By leveraging these resources and adopting a culture of vigilance, business owners can reduce their vulnerability to financial fraud and safeguard their hard-earned assets this Cybersecurity Awareness Month. Also, be on the lookout for this year’s #BanksNeverAskThat campaign to help safeguard your personal accounts, too.
