How South Bend Small Businesses Can Reduce the Risk of Email-Based Payment Fraud
The word cybersecurity gets thrown around a lot. Along with it come statistics, warnings, and — if we’re honest — enough noise to make the whole topic feel distant and not particularly relevant to a small business in South Bend.
Ransomware gets most of the media attention. And it deserves some of it — the FBI’s 2025 Internet Crime Report recorded thousands of ransomware complaints in the US last year, with immeasurable losses from lost business, time, wages, files, equipment, or any third-party remediation services. It’s real, and it’s serious.
But most small business owners hear that and think: that’s not me. Everyone has a firewall and antivirus, right? We use common sense, access data through third-party secure portals, and don’t click on links we don’t recognize. We’re too small to be interesting to a scammer.
Maybe. But the threat that actually hits businesses most often doesn’t look like a dramatic cyberattack. It doesn’t announce itself. And it doesn’t require a sophisticated hacker.
So What Is Business Email Compromise And How Does It Affect South Bend?
The FBI defines Business Email Compromise — BEC — as a scam where fraudsters get access to a legitimate business email account, through social engineering or by breaking into the account, and use it to redirect money. No flashy malware or a ransom note. Just a familiar-looking email with the wrong bank details.
In 2025, BEC cost American businesses $3.0 billion. That’s not a typo. $3.0 billion, second only to investment fraud in total losses reported to the FBI.
And because it relies on trust — on emails that look completely normal, from people you recognize — it works. Over and over again.
Here’s What Happened to One Business
An employee went out for the evening and lost their phone. They didn’t notice for hours and when they did, it didn’t seem like a major work issue. It was their personal phone. No sensitive work files were stored on it – just their work email.
What they didn’t know was that someone found the phone, got past the lock screen, and accessed a work email account that was already logged in. They found an outgoing invoice, changed the bank account details, and forwarded it on to the customer. The customer recognized the email, recognized the contact, and paid it.
Nobody knew anything was wrong until the next day, when the finance team made routine follow ups for outstanding payments. One customer said that they had already sent a large wire the day before which the finance team had no record of. They realized quickly that the customer had received a revised invoice which, if you didn’t look carefully, looked like a real invoice but had altered bank account details.
Verizon’s 2025 Data Breach Investigations Report found that nearly 40% of attacks involve suspicious logins—in other words, someone using access that already exists, not breaking in, and that 88% of BEC payments are sent via wire transfer.
This One Had a Happy Ending. Most Don’t.
The company got lucky. The transfer had been flagged by the bank and had not yet been processed. The customer was able to stop the payment and redirect the payment to the correct account. That outcome is rare. Most of the time, by the time anyone realizes what has happened, the money is gone. Wire transfers are difficult to reverse.
And once you start asking questions, more uncomfortable questions follow. Who else got an email from that account while it was open? Were there other invoices? Other customers? Other conversations that should have stayed private?
What Can You Actually Do About It?
No one can completely stop cybercrime. But there are practical steps that can be taken to reduce risk for small businesses in South Bend:
- Set email session timeouts
Most email clients stay logged in indefinitely by default. You can change that. In Microsoft 365, session timeout policies can be configured through the admin center so that inactive sessions are signed out automatically after a defined period. In Google Workspace, session controls under the Admin Console allow you to set how long a user stays signed in before re-authentication is required.
- Use the device management tools you may already have
If your business uses Microsoft 365, you have access to Microsoft Intune — a mobile device management (MDM) tool that lets you apply security policies to any device accessing company email, including personal phones. If you use Google Workspace, Google’s built-in endpoint management works the same way. Both allow you to remotely wipe corporate data from a lost or stolen device without touching the owner’s personal photos or apps.
- Know what to do in the first few minutes
When a phone goes missing, most people’s first instinct is to hope it turns up. The right instinct is to report it to whoever manages your IT immediately, so that the email session can be terminated and the device locked or wiped. Every minute of uncertainty is a minute of open access.
These are not expensive fixes. They’re not even particularly technical. But they need to be in place before something goes wrong.
If you’re not sure what you currently have set up, contact us for more information. We serve South Bend, Bremen, Elkhart, Granger, Mishawaka, Plymouth & the entire Michiana region.