Protect Yourself: Business Email Scams Are On The Rise
In August, the FBI announced that an increasingly common email scam, called BEC (Business Email Compromise), has caused over $750 million dollars in losses for 7,000 US companies between October 2013 and August 2015.
BEC targets small, mid-sized and large businesses alike. It is different from traditional email “Phishing” scams, which often contain malware designed to infect victims’ files in order to gather passwords and financial information.
BEC thieves, on the other hand, create customized, individual emails containing urgent requests for payments, usually through wire transfer. The senders use details such as names, dates, addresses, or knowledge of prior transactions. This data can be gleaned from previous system intrusions, from hacked email, from company websites, and/or from social media used by the company or its employees.
How BEC Works:
Thieves send emails that spoof existing vendors or company executives. Here are three main versions of the scam, as reported to the US Government’s Internet Crime Complaint Center (IC3):
Warning Signs & What You Can Do to Protect Your Business
- Bogus Invoice Scheme: Thieves spoofing a regular supplier ask a business to wire invoice payments to a fraudulent account. If the request is made via email, it will take very close scrutiny to know that it is fraudulent. Likewise, if the request is made via phone or fax, the thieves will closely mimic the legitimate source.
- CEO Fraud: Email accounts of high-ranking executives are compromised (spoofed or hacked). From this kind of email account, requests for fund transfers are sent to the appropriate employee. It was even reported that fund transfer requests were sent to the financial institutions involved, using spoofed requests from company executives with whom the bank was familiar.
- Payment Requests from Hacked Employee Email Accounts: Thieves send invoicing emails from hacked employee accounts, requesting payment from customers (usually repeat customers) to fraudulent bank accounts. Often businesses are not aware of the crime until they contact the customers about unpaid invoices.
Note these common BEC Characteristics and our recommendations for how to avoid this attack:
3 Common Targets:
Business and employees that use open-source email:
Don't Use Free Web-based Email: Have your own protected domain-related email accounts
for all company communication and for each employee who uses email for any company function.
Specific employees who handle wire transfers, especially to overseas suppliers:
Payment processes can be more vulnerable these days because of the increased use of electronic communications and processing. Use 2-Step Authentication
(via live conversation) to verify significant transactions.
Employees who use Personal Email Accounts for Business:
Personal accounts are usually easier to hack, since they are often outside a company’s network security. Often, personal accounts are used for weekend work from home or traveling employees. Company policies should prohibit any use of personal email for business transactions
, especially financial ones, and employers should have emergency communication processes involving payments.
Common BEC Characteristics to watch for:
A sense of urgency or “immediate payment” request:
Even though the days of “30-60-90” day terms appear to be waning, payment requests should match existing terms, especially with regular suppliers. Any sense of unusual pressure deserves a second, careful look. And probably a phone call.
Also, watch out for phrases: “code to admin expense” and “urgent wire transfer,” as found in a number of the scam emails.
Hard-to-Detect Spoofed Emails, but mailed to the “Right” Employee:
These may appear to come from a legitimate domain’s email address, but closer scrutiny will often reveal a difference of just one letter. Plus, further investigation revealed that many of the IP addresses traced back to free domain registrars. Proper email server protection and filters may block some of these scam emails.
You can take steps to bar thieves from emailing the “right” employee. Refrain from publishing employee email addresses, position duties and descriptions, or hierarchical info on your public website, especially for those executives and employees who oversee or handle payments.
Well-worded Language and Specific Details, e.g. payment amounts:
Makes it tough to discern fraud, doesn’t it? But remember that the thieves work hard to make these details accurate. If they don’t come from your website or social media, then they came from something you should be protecting from hackers, like your network and email systems. Some scam victims have reported network security issues that preceded the BEC activities. These problems included cyber intrusions and Ransomware attacks. That’s why your data and communications should be maintained and protected by an IT specialist or support company (yes, right, like Cratin Computing).
Scam Email Dates that Coincide with Executive/Employee Travel Dates:
Implement company policies that keep travel dates and other employee-specific details off the web and out of all but the most necessary electronic communications. If you advertise your presence at a conference or tradeshow, especially via social media, then be sure to have your multi-step payment authentication processes in place before travel time.
Further Important Steps:
Should be used by entities on either side of transactions. This won’t work for web-based email, however, plus some countries ban or limit encryption.
Delete/Don’t Open Spam:
and be sure your email system is properly protected. Malware can give potential BEC thieves access to sensitive details.
Use “Forward” instead of “Reply” Option in Business Emails:
Then type correct recipient address in yourself (or choose from your own contacts file) in case original email was sent from a spoofed address. Yes, it’s an extra step, but worth it, especially for financially related emails.
Verify all significant changes in business practice:
Again, pick up the phone. Question changes or unusual behavior, like the sudden use of a personal or unfamiliar email account, payment term changes, any sense of pressure, etc.
Additional new measures are included in this updated report by the FBI on this current alert, which is registered as I-082715a-PSA
Additional Source: “Business Email Compromise,” FBI Alert # I-012215-PSA