Protect your Business from Business Email Compromise
Business email compromise (BEC) is an increasingly common cyberthreat that has been utilized by fraudsters to target businesses across the United States.
Though the scam is fairly simple, it still has succeeded in exploiting businesses of all sizes and industries by capitalizing on one weak link that all of these companies have in common: email. The setup of this scam generally follows an outline along these lines:
- The scammer targets a company that conducts transactions with vendors abroad or outside of the organization.
- Utilize malware to investigate employees that govern transactions as well as those that control the company's finances.
- Send a targeted email to a lower level employee impersonating a CEO or executive, while the CEO is out of office, requesting a wire transfer or tricking the employee into revealing confidential information (often by way of clicking on a link or downloading an attachment.)
- The employee or vendor then unsuspectingly makes the transfer to an account that is controlled and owned by the scammer.
- Before the breach is discovered the scammer will launder all of the stolen funds away in accounts that are difficult to trace.
It is easy to assume that your employees can read between lines and determine whether a request is legitimate or not. However, scammers use well practiced techniques to exploit even the most skeptical of employees. Here are a few of the tactics that scammers will use to persuade an employee that a transfer is valid:
- Spoofing an email account. Scammers will set up email accounts with addresses designed to trick an employee into thinking that it is authentic. For example, if a fraudster is trying to impersonate CEO John Doe of XYZ Corporation, they will create an email address that is similar to John.Doe@xyzcorp.com or J.Doe@ceo.com. The overall goal is for the employee to not give the email any second looks while corresponding with the scammer.
- Malware. By utilizing malware, scammers can integrate themselves into business email threads that cover financial topics and information. From there the fraudster can request a wire transfer or invoice in a timely manner within the threads without alerting the accountant to any suspicious activity.
- Urgent matter, ASAP, Need it now! The majority of fraudulent requests sent by scammers have an underlying message of urgency, giving an impression that time is of the essence. If the employee believes the transfer is a direct order coming from upper management, they may fall under pressure and make the employee act without fully pondering the unusualness of the situation. By the time the employee realizes their mistake, it is too late, and the funds have been lost.
Your largest line of defense against business email compromise is promoting awareness throughout your company. If your employees are educated on the tactics and warning signs of a business email compromise they are less likely to act on a fraudulent request. Here are some strategies you can employ in your business that will safeguard you, and your team, against BEC scams:
- Create flags for email addresses that are similar to your company’s address. If a company's address ends in xzy_corp.com, and an email is sent with the address xyz-corporation.com it should be flagged.
- Ensure that all external emails are flagged or differentiated from internal emails in a noticeable fashion.
- Secure your wire transfer process with at least a two-step authentication process like requiring a secondary sign-off or phone verification.
Taking preventative measures and educating your employees are the best ways to ensure your business doesn't fall for a business email compromise. If you ever think that your business is the victim of a BEC scam, immediately report the incident to law enforcement or with the Internet Crime Complaint Center.
Learn more about protecting your business from cyberthreats by visiting our Security Center for more helpful tips and tactics!