Business email compromise scams (BECs) typically combine spear phishing, email spoofing, social engineering, and occasionally malware, and have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.
Here’s the breakdown on what each does:
- Malware: Used to infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to minimize suspicions of an accountant or financial officer when a request for a fraudulent wire transfer is made. Malware also allows criminals undetected access to a victim’s data, including passwords and financial account information.
- Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the perpetrators.
- Spoofing e-mail accounts and websites: Slight variations on legitimate addresses (firstname.lastname@example.org vs. email@example.com) fool victims into thinking fake accounts are authentic. Then, the criminals direct email responses to a different account they control.
Of the increasing amount of BECs, they are often CEO spoofing emails aimed at wire fraud. CEO email fraud is a scam in which a series of bogus emails from a company’s CEO, CFO or other senior executive is sent to persuade the targeted employee to quickly transfer funds into fraudulent accounts in a manner that bypasses the usual safeguards.
Here are a few ways you can safeguard your business:
- Add additional two-factor authentication to verify changes in vendor payment location, such as having secondary sign-off by company personnel or using phone verification to confirm requests for transfers of funds (use previously known numbers, not the numbers provided in the email request).
- Create intrusion detection system rules that flag emails with extensions similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com. Also, flag emails where the "reply" email address is different from the “from” email address.
- Color code virtual correspondence, so emails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.
- Exercise restraint when publishing information about employee activities online (ex. company websites or social media accounts) which can provide valuable information for attackers who perpetrate these types of schemes.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary. If it doesn’t seem right, it might not be right — so double-check.
If you or your company fall victim to a BEC scam, it's important to act quickly. Contact your bank immediately and request they contact the financial institution receiving the fraudulent transfer. Next, call the FBI, and also file a complaint—regardless of dollar loss—with the FBI's Internet Crime Complaint Center (IC3). To learn more this and other cyber scams, visit our Cybersecurity Center.