Skip to Content

Hackers Are Now Breaking Into Your Purchase Orders

The word 'password' is pictured on a computer screen in this picture illustration taken in BerlinThe word 'password' is pictured on a computer screen in this picture illustration taken in Berlin

Business owners beware: hackers are finding new ways to use your email against you.

As financial institutions have gotten smarter about fraudsters conducting account takeovers, cybercriminals are going directly after businesses, breaking into their email accounts and manipulating purchase orders.

The attacks, reported last week by the Wall Street Journal, are more sophisticated than previous efforts. As it is, businesses still fall prey to email scams that involve hackers using phony email accounts to pose as company executives and suppliers.

In the new breed of attacks, cybercriminals gain access to an entire email chain by hacking into either a buyer or seller’s email account. They scan for high-value transactions, according to network security firm SecureWorks, which first documented the trend, and then set up an automatic relay that forwards all new correspondence between a buyer and a seller to the fraudsters first. Ultimately, hackers alter legitimate purchase orders as they are emailed, instructing the buyer to wire payment to a fraudulent bank account.

Such attacks are on the rise as criminals have shifted their tactics, moving away from targeting banks, which have gotten better at detecting fraud, to smaller businesses, which typically are poor at detecting hack attacks, says Julie Conroy, research director for Aite Group, a research and advisory firm specializing in financial services.


The attacks are exacerbated by a general small business reliance on Webmail, cloud-based email programs that are cheaper than dedicated email servers, and easier to compromise, SecureWorks says.

“As long as they can get access to one side’s email, they can pull this off,” says Joe Stewart, director of malware research for SecureWorks, based in Atlanta.

In the U.S. alone, more than 14,000 businesses have lost close to $1 billion since 2013, according to a June report from the Federal Bureau of Investigation. There has been a 1,300% increase in reports of such crimes since 2015, the FBI says.

Here are five things that experts says small-business owners can do to protect themselves.

1. Create strong passwords for all of your accounts and never reuse them for other accounts. Hackers have been able to compromise business accounts following break-ins at sites with lots of users, such as Twitter, where they snag usernames and passwords, and then try them elsewhere.

2. Double-check any emailed request for payment. The best way to do that is pick up the phone and call to verify the payment request or purchase order, Conroy says. Don’t use email, as that may already be compromised. Often the emails relayed by the hackers differ from the real ones by only one letter or symbol, which makes it difficult to spot them as fraudulent. “When you do see a new set of payment information via email, take the time to pick up the phone and call the person that sent it,” Conroy says.

3. After an attack, act fast. If your computers have been compromised by malware, you may need to call in a forensics team to find out how it’s affected your network. That can be a costly endeavor, costing upwards of $15,000, Conroy says.

4. Install business grade malware and spyware software. Symantec, McAfee and Webroot all offer products that can help spot suspicious behavior, security experts say.

5. Use a virtual private network (VPN) or require two-factor authentication for your email server. VPN software provides a secure connection into your network. Two-factor authentication requires users to provide an extra layer of identifying information when logging in. You might also consider changing to a dedicated email server. A dedicated server would cost upwards of $5,000 to purchase outright, says Stewart, who adds such servers can also be rented from providers for between $5 and $100 a month. “[These things] will go a long way toward keeping out low-level hackers,” Stewart says.

Another resource business owners may want to consider is the Small Business Administration, whose website has a free tutorial page about cybersecurity.