A new business email fraud scheme has recently emerged that every business should be aware of. Business Email Compromise (BEC) is a sophisticated international effort that targets businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.
BEC is a growing threat throughout the world and has resulted in losses totaling over $3.1 billion. According to the FBI's IC3 Team, from October 2013 to May 2016, there were 14,032 victims of BEC in the United States alone. Criminals committing BEC usually target a business based on information they are able to find via both open source channels (company websites, social media profiles, etc.), as well as closed source channels (compromising an individual's email or compromising a customer of that business).
Here are several sample scenarios that your company should watch out for:
• CEO Fraud: A C-Suite employee’s email is compromised or spoofed, and an email is sent to an authorized employee to wire funds to a fraudulent account, usually overseas and with an innocuous description (Consulting, Services, Payment, etc.).
• Legitimate Transfer Fraud: A customer planning to make a payment via transfer receives an email, supposedly from the payee, with “revised instructions”, instructing the funds be wired to a different account.
• Invoice Fraud: A vendor with whom the customer has a long-standing relationship receives a false invoice from a compromised email requesting payment to a fraudulent account.
Businesses can protect themselves from falling victim to BEC by taking a few simple security measures:
• Requiring any internal wire transfer request received by email to be confirmed in person by the individual sending the request.
• Flagging any email received from outside of the business with a displayed warning if the email system supports it (“This email originated from outside of XYZ Company”).
• Forwarding emails instead of replying. By forwarding the email and inserting the recipient’s name from the company address book, you can be sure it is going to the right person.
• Requiring strong passwords that are changed often and never written down.
• Utilizing antivirus and antimalware to detect and protect against intrusions into company networks and email systems.
• Educating and training employees to recognize potential threats via email (such as emails or attachments).
Cybercriminals have demonstrated their ability to craft convincing fraudulent emails, and successfully trick unsuspecting recipients. By taking a few basic security measures, businesses can improve their chances of successfully deflecting these emails, and keeping these criminals at bay.