Email Scams Targeting Business Owners: What to Watch For and How to Stay Safe

Business email compromise (BEC) is consistently ranked among the most costly categories of cybercrime globally — not because the technical attacks are sophisticated, but because they are effective. The typical BEC attack doesn't involve malware or zero-day vulnerabilities. It involves a convincing email, a moment of inattention, and an action that seems routine. Understanding what these attacks look like is the first step to not falling for them.

The Most Common Attack Patterns

Supplier impersonation: an attacker monitors email communication between your company and a regular supplier. At the right moment — often just before a large payment is due — they send an email that appears to come from the supplier, informing you that the supplier's bank details have changed and providing new account details. The email looks legitimate. The timing is right. The payment goes to the attacker's account. By the time the genuine supplier follows up about the missing payment, the money is gone.

CEO or director impersonation: an employee in the finance team receives an email apparently from the managing director or CEO, asking for an urgent funds transfer. The email explains that a confidential acquisition is underway and the transfer must be done immediately and quietly. The urgency and the apparent seniority of the sender override the employee's usual caution. The transfer is made.

IT support impersonation: an employee receives an email claiming to be from IT support, asking them to verify their credentials or click a link to reset their password before their account is locked. The link leads to a convincing login page that captures their username and password. The attacker now has valid credentials for your email system and can send emails from a real account.

Invoice fraud: a fraudulent invoice is submitted by email, often in a format that closely resembles invoices from real suppliers. Sometimes this involves a compromised supplier account sending invoices from a legitimate address. Without a verification process, the invoice gets processed and paid.

Package or delivery scams: less targeted but common — emails claiming a delivery has failed and requesting payment of a small customs or redelivery fee. The fee is small enough that recipients don't scrutinise it carefully. These are credential harvesting attacks dressed as routine transactions.

Why These Work

These attacks succeed because they are engineered around human behaviour rather than technical vulnerabilities. They create urgency ("the payment must be made today"). They invoke authority ("the MD needs this done now"). They arrive at plausible times and fit into existing workflows. They look like the emails you already receive.

Attackers research their targets before launching. They may study your website to learn who your key suppliers are, read LinkedIn to understand your organisational structure, or monitor publicly available information to time their approach around known events. A press release about a new partnership, a company announcement about growth, a listed job opening for a finance role — all provide information that makes impersonation more convincing.

The Technical Defences

Some attacks can be blocked before they reach your inbox:

• SPF, DKIM, and DMARC: as covered in a previous post, these three DNS records make it much harder for attackers to send email that appears to come from your domain. Ensure your domain has all three correctly configured — and check whether your key suppliers have them configured, which you can verify with tools like MXToolbox.
• Anti-spoofing policies in Microsoft 365 or Google Workspace: both platforms have configurable policies to flag or block emails that appear to come from internal domains but arrive from external sources — a telltale sign of impersonation.
• Email filtering that identifies lookalike domains: attackers often register domains that look similar to legitimate ones — consign-tech.com instead of consign.tech, or c0nsign.tech with a zero instead of an 'o'. Modern email security tools scan for these patterns.
• Multi-factor authentication on email accounts: if an attacker obtains your password through a phishing page, MFA prevents them from using it. This is the single most effective technical defence against account compromise.

The Process Defences

Technology alone is insufficient. Process controls address the human element:

• Dual authorisation for payments above a threshold: no single person should be able to authorise a significant payment based solely on an email request. Define a threshold — perhaps ₹25,000 or whatever is appropriate for your business — above which a second authorisation is required, preferably via a different channel (phone or in-person confirmation, not reply-to-the-same-email).
• Bank detail changes require phone verification: if a supplier emails to say their bank account has changed, call them on a number you already have — not one provided in the email — before updating your records. This single process stops supplier impersonation attacks reliably.
• New vendor onboarding checklist: new suppliers should go through a defined onboarding process that verifies their identity and bank details through multiple channels before any payment is made.
• Out-of-band verification for urgent CEO requests: if you receive an urgent request from a senior person that seems unusual, call them. A real MD making a legitimate request will not object to a 30-second phone confirmation. If the request evaporates when you suggest calling, it was not legitimate.

Training Your Team

The most effective defence is a team that recognises these attacks. Regular training doesn't need to be elaborate — a brief monthly discussion of a real-world BEC example is more effective than an annual compliance video that people click through without reading.

Teach your team to look for:

• Urgency and pressure — real business processes rarely require immediate action without any verification
• Requests to bypass normal procedures — any email that asks you to skip a step that normally applies should be treated with heightened scrutiny
• Subtle email address variations — the display name may say "Rajan Kumar" but the actual sending address may be from a different domain
• Links that don't match their display text — hover over any link before clicking to see the actual destination URL
• Unexpected attachments, especially password-protected archives or documents that request macro permissions

What to Do If You've Been Targeted

If you suspect you have received a BEC attempt, report it internally immediately. If a payment has been made to a fraudulent account, contact your bank the same day — international fraud transfers can sometimes be recalled if reported quickly. File a report with the cybercrime portal at cybercrime.gov.in. Change passwords for any accounts that may have been accessed. Alert your IT provider or managed services partner so they can check for signs of further compromise.

Most importantly: don't assume that because your business is small or not high-profile, you won't be targeted. BEC attacks are largely automated and opportunistic. Any business that sends or receives significant payments by email is a target.