SCAM ALERT – BUSINESS EMAIL COMPROMISE SCAM
Be absolutely sure that email came from the correct and authorized sender before you send the wire…
A serious cyber email scam has been making the rounds, affecting more than seven thousand (7,000) businesses in the United States and exposing hundreds of millions of dollars to potential theft[i]. According to the FBI, “The Business Email Compromise (BEC) scam is defined as a type of sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” [ii] The BEC scam (also referred to as email account compromise (EAC)) is of a great concern to businesses and an example of the success cyber-criminals are having at applying easily attainable or publicly available information to social engineering scams.
Corporate or publicly available email accounts of executives or other targeted employees authorized to work with wire transfer payments are spoofed or compromised through keyloggers or phishing attacks to commit fraudulent transfers, resulting in a vast amount of monetary losses.
ARE YOU SURE THAT EMAIL CAME FROM YOUR BOSS OR ANOTHER AUTHORIZED PERSON? MAKE SURE BEFORE YOU OPEN THE EMAIL AND DEFINITELY BEFORE YOU SEND THE WIRE…
This BEC scam attackers (fraudsters), formerly called “Man-in-the-Email” scam attackers, rely heavily on social media engineering tactics to actually trick unsuspecting employees and executives. Many times, the BEC scam attackers fraudulently represent themselves as an authorized representative of a company to complete wire transfers. Also, these BEC scam attackers are careful about their research and closely monitor their potential target victims and the target organizations.
DO YOU KNOW ABOUT THE BUSINESS EMAIL COMPROMISE (BEC) SCAM (ALSO KNOWN AS EMAIL ACCOUNT COMPROMISE (EAC)?
Also, according to the FBI, “some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. Based on FBI, there are 5 types of BEC scams:
- The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
- CEO Fraud- Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
- Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
- Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
- Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises spot this type of scam.” [iii]
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.
There are many versions of this scam, however one of the most concerning is this: the scammer hacks into the email of the authorized representative of the company (or creates an email with an extension that is similar to the company e-mail so it appears to be from the authorized representative of the company) and creates a fraudulent email requesting a wire be sent immediately. The email is then sent to the financial department (if they hacked in they can determine who usually received wire transfer requests) and the correct individual in your organization then promptly sends the wire relying on the fraudulent email. The timing of the request will typically coincide closely with the wire cut off – heightening the “emergency” nature of getting the wire out and leaving little time to double check the accuracy of the request.
HOW DO YOU PROTECT YOUR BUSINESS FROM BUSINESS EMAIL SCAMS? EMPLOYEE TRAINING AND AWARENESS TO SPOT THE FRAUDSTERS AND PREVENT THESE SCAMS IS RECOMMENDED.
What can you do? The FBI has issued various tips on how to protect yourself, but one easy way is as follows: have your company start a policy of requiring verbal and/or fax confirmation of all wire transfers. The policy would require the initial written direction be received by email, but before the wire will be initiated your authorized employee would fax and/or call the person directing the wire and receive a secondary verbal confirmation, preferably live confirmation and not simply a voicemail. This may slow down the process but it will also stop the scam in its tracks.
Some other recommendations from the FBI:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail ofabc_company.com would flag fraudulent e-mail of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone and/or fax verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
- Conduct employee security awareness training and implement other security protection policies and programs to ensure your business and employees implement and maintain careful business practices to avoid being victims to these and other types of cybercrimes and scams.
For more information on the Business Email Compromise (BEC), the FBI periodically issues updates on-line recommended for your review. Cybersecurity Insurance is also a becoming more common and a good protection to consider for all types of businesses, so contact your broker for more information about this insurance protection.
If you feel you have been a victim of this scam or should you have any questions about cyber scams, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800 or contact us online.
Waltz, Palmer & Dawson, LLC is a full-service law firm with various areas of service to assist your business, including: Employment Law, Intellectual Property, Commercial Real Estate, Business Immigration, Litigation and general Business Law services. Individual services include Estate Planning, Wills and Trusts, Probate, Guardianship, Divorce and Family Law.
This article constitutes attorney advertising. The material is for informational purposes only and does not constitute legal advice.
To subscribe to our business e-newsletter, pleases send an email request to www.info@navigantlaw.com.
References Used for this Article:
[i] [ii]According to Federal Bureau of Investigations Alert Number I-082715a-PSA
[iii] https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
[iv]https://www.scmagazineuk.com/social-engineering-social-media-compounding-threat/article/1474508