Business Email Compromise (BEC)
Evolving business email compromise (BEC) financial wire transfer fraud scams are on the rise, costing businesses billions of dollars annually. Businesses of all sizes can be targeted and fall victim to these crimes. The best way to protect your business is to have a good understanding how these crimes are committed and train your employees to be on the look out for these scams.
In this crime, the scammers go to great lengths to compromise or spoof business email or use social engineering to assume the identity of the CEO, executive, company attorney or a trusted vendor or customer. The crime is completed when the victim business is tricked into conducting a wire transfer of funds to the criminals account.
The criminals do their homework to develop a good understanding of the victim’s normal business practices. Statistics indicate that victims in these crimes, provide a wide variety of different goods or services or belong to no specific business sector.
All BEC scams involve some form of deception. Frequently the scammers have compromised the email system and will spoof and email to start the scam. The crooks often use just a one letter difference in an email address to trick the victim into sending funds to the crook’s foreign bank account. But there are many variations on this scam to lookout for.
Awareness is key:
- Watch out for spoofed email accounts and websites. These could be slight variations on the legitimate email address with just a one letter alteration on the employee name or company name. Everything could look exactly like previous email messages you have seen. They often mirror past messages with the company logo, format and names you recognize.
- Spear-phishing email – fake email messages believed to be from a trusted co-worker, vendor or customer prompting the victim to provide information.
- Malware – used to attack the company network and gain access to the email system. This malware can be used to access passwords and other company data that can be used to obtain financial information.
- Phone calls from new vendor account contacts, customers or individuals representing a financial institution.
8 Ways to protect your company from BEC fraud scams
- Every business needs strong internal prevention processes and procedures when dealing with all EFT request. In many cases, a simple direct confirmation phone call would prevent these crimes from occurring. Any request for the transfer of funds needs to be reviewed by more than one employee.
- All EFT request should be held for a period of time with strict external verification procedures. Any request for sensitive data or EFT transfers that involve secrecy or quick action should be viewed as suspect.
- Use the “forward” option on suspect email messages instead of “reply” or “reply all”. By forwarding the message to the sender you increase the likelihood that you will use the legitimate email address from your address book and not a spoofed address from the original email.
- Review and restrict information on company websites and social media that provide information on job duties and the hierarchy of the company.
- Beware of vendor or supplier account changes and arrange a backup method of authentication early in the relationship away from email to avoid interception by the hacker.
- Always utilize a backup alternative method to authenticate the request and verify prior to sending funds or data. Verify all phone numbers and any changes in the process or account information separately and institute a phone call verification as part of the two-factor verification process.
- Educate employees and provide ongoing security awareness training.
- If you suspect you were victimized in a BEC scam, notify your bank immediately and speak to a bank manager and the fraud department. Your funds might be recovered if you act quickly.
The value of security awareness training
This is another crime, where security awareness training can help to reduce risk. Ensuring that all employees are aware of these crimes will help to stop this crime from happening. Being aware of new crimes and scams in the news is a part of security awareness training. Insuring that employees, are aware of this scam will greatly reduce the likelihood that your company will be victimized.
The Center for Information Security Awareness – CFISA.com has been providing online and on site security awareness training since 2007. CFISA security awareness training stresses the importance of educating employees to help reduce company risk and protect against these types of crimes.