Can HIPAA email compliance be achieved without encryption?

Yes, compliance can be achieved without encryption if the patient explicitly requests unencrypted email and acknowledges the risks. However, encryption is strongly recommended as best practice to protect PHI and comply with HIPAA requirements. Sending PHI by email without encryption is considered a HIPAA violation unless the email is encrypted.

Is Gmail or Outlook HIPAA compliant by default?

Gmail and Outlook are not HIPAA compliant by default. They must be properly configured to meet HIPAA requirements for encryption of emails and HIPAA security standards. Additionally, a Business Associate Agreement (BAA) must be signed with the HIPAA email provider to ensure compliance when PHI is sent via email.

What should an email security policy include?

An effective email security policy should outline HIPAA email requirements, including encryption requirements, acceptable use guidelines, breach reporting procedures, and retention policies for PHI. It ensures that the content of an email aligns with HIPAA regulations and helps organizations comply with HIPAA security standards. Regular training on HIPAA email should also be part of the policy to reinforce best practices.

How long must email logs be retained?

Email logs containing PHI should be retained for at least six years in accordance with HIPAA standards. This retention period allows organizations to maintain necessary documentation for audit and compliance purposes.

Can I use a free email service for HIPAA-compliant email?

Most free email services (e.g., Gmail, Yahoo) do not meet HIPAA security standards. To ensure compliance, use an encrypted email solution or HIPAA-compliant email service that supports necessary safeguards like encryption and access controls.

Business Email Compromise: What Every Business Needs to Know to Stay Protected

Business email compromise is one of the fastest-growing and most financially devastating cyber threats facing businesses today. At Crown Computers, we see firsthand how even well-run organizations can fall victim to deceptively simple email-based attacks — often without realizing it until real money is gone.

As a San Diego-based managed IT services provider, our mission is to help businesses stay secure, productive, and interruption-free. In this guide, we’ll break down what business email compromise is, how BEC scams work, real-world examples, and most importantly — how to implement BEC cybersecurity and protection strategies that actually work.

If you’re unsure whether your organization is protected, we strongly recommend scheduling a free 60-minute consultation with our security team. You can contact us here, call 858-483-8770, or email sales@crowncomputers.com.

What Is Business Email Compromise?

Business email compromise (often abbreviated as BEC) is a sophisticated form of cybercrime where attackers impersonate a trusted individual or organization to trick employees into sending money, changing payment details, or sharing sensitive information.

So, what is business email compromise in plain English?
It’s digital fraud powered by trust.

Unlike traditional malware attacks, BEC scams don’t rely on malicious links or attachments. Instead, they rely on social engineering, psychological pressure, and realistic email impersonation — making them far more difficult to detect.

According to recent FBI and cybersecurity industry data, BEC attacks account for billions of dollars in losses annually, and the numbers continue to rise as attackers leverage AI to create highly convincing messages.

How a BEC Scam Works

A typical BEC scam follows a predictable — but dangerous — pattern:

1. Reconnaissance

Attackers research your organization using LinkedIn, company websites, vendor portals, and even social media. They identify executives, finance staff, HR personnel, and vendors.

2. Account Compromise or Email Spoofing

Using phishing, credential theft, or spoofed domains, attackers gain access to — or convincingly mimic — a legitimate email account.

3. Impersonation

The attacker pretends to be:

A CEO or CFO
A trusted vendor
HR or payroll staff
A legal representative

4. Urgent Request

The email creates urgency:

“I need this paid immediately.”
“We’re closing a confidential acquisition.”
“Please update this payment information today.”

5. Financial or Data Loss

Funds are wired, payroll is redirected, or sensitive data is exposed — often without triggering any antivirus alerts.

This is why BEC cybersecurity requires more than just spam filters.

Common Signs of Business Email Compromise

Even well-trained employees can miss a BEC attempt. However, there are consistent red flags to watch for:

Urgent or secretive payment requests
Requests to move conversations to personal email, SMS, or WhatsApp
Slightly altered email domains (for example: .co instead of .com)
Changes to vendor payment instructions
Requests that bypass normal approval processes

At Crown Computers, we train employees to verify first — not react first. One phone call can stop a six-figure loss.

Most Common Types of BEC Attacks

Invoice Fraud

Attackers alter legitimate invoices so payments are sent to fraudulent accounts.

CEO / Executive Fraud

Employees receive emails “from leadership” demanding immediate wire transfers or gift card purchases.

Payroll Diversion

Direct deposit information is changed, sending paychecks to attacker-controlled accounts.

Vendor Email Compromise

A trusted supplier’s email is hijacked, and customers are instructed to update payment details.

Attorney or Legal Impersonation

Scammers pose as legal counsel to pressure finance teams into confidential payments.

Each of these scenarios highlights why BEC protection must combine technology, training, and process controls.

Real-World Business Email Compromise Examples

BEC scams aren’t hypothetical — they’ve impacted some of the world’s largest organizations:

Facebook & Google lost over $100 million to fake vendor invoices
Toyota Boshoku Corporation lost $37 million due to fraudulent wire requests
Healthcare organizations and school districts have lost millions through payroll and vendor scams

Small and mid-sized businesses are especially vulnerable because attackers assume security controls are weaker — which makes managed IT services essential.

How to Prevent Business Email Compromise

Effective BEC protection is layered and proactive. Here’s what we recommend at Crown Computers:

Security Awareness Training

Employees are your first line of defense. Regular phishing simulations and training dramatically reduce risk.

Multi-Factor Authentication (MFA)

MFA prevents attackers from accessing email accounts even if credentials are stolen.

Email Security & Identity Monitoring

Advanced email filtering and identity threat detection help spot suspicious logins, inbox rules, and abnormal behavior.

Payment Verification Procedures

No payment or account change should occur without verbal verification through a known contact method.

Managed IT & Cybersecurity Oversight

A dedicated IT partner ensures policies are enforced, systems are monitored, and threats are addressed before damage occurs.

If your organization doesn’t already have these safeguards in place, now is the time to act.

Why BEC Cybersecurity Requires a Managed IT Partner

BEC attacks don’t exploit software — they exploit people.

That’s why BEC cybersecurity requires:

24/7 monitoring
Proactive threat detection
Continuous employee education
Rapid incident response

At Crown Computers, our Managed IT Services are designed to eliminate blind spots and reduce business-ending risks. From cloud security to identity protection, we help businesses operate securely without disruption.

Protect Your Business Before a BEC Scam Hits

Business email compromise is not a matter of if — but when. The organizations that avoid losses are the ones that prepare early.

If you want to:

Evaluate your current email security posture
Identify vulnerabilities attackers look for
Implement proven BEC protection strategies

👉 Schedule a free 60-minute consultation today
👉 Contact Crown Computers
👉 Call us at 858-483-8770
👉 Email sales@crowncomputers.com

Crown Computers is proud to be a trusted San Diego technology support partner, helping businesses stay secure, compliant, and productive in an increasingly hostile cyber landscape.

Let’s make sure your inbox doesn’t become your biggest liability.

Business Email Compromise: What Every Business Needs to Know to Stay Protected

Business Email Compromise: What Every Business Needs to Know to Stay Protected

What Is Business Email Compromise?

How a BEC Scam Works

1. Reconnaissance

2. Account Compromise or Email Spoofing

3. Impersonation

4. Urgent Request

5. Financial or Data Loss

Common Signs of Business Email Compromise

Most Common Types of BEC Attacks

Invoice Fraud

CEO / Executive Fraud

Payroll Diversion

Vendor Email Compromise

Attorney or Legal Impersonation

Real-World Business Email Compromise Examples

How to Prevent Business Email Compromise

Security Awareness Training

Multi-Factor Authentication (MFA)

Email Security & Identity Monitoring

Payment Verification Procedures

Managed IT & Cybersecurity Oversight

Why BEC Cybersecurity Requires a Managed IT Partner

Protect Your Business Before a BEC Scam Hits

Crown Computers

Office

Call Us

Email

Hours