Why would a cyberthief bother with hacking your network if he can get you to wire money directly to his account? That’s the premise behind business email compromise, a form of cybercrime that’s becoming increasingly common.
A public service announcement from the FBI on business email compromise trends says that:
The BEC (Business Email Compromise)/EAC (E-mail Account Compromise) scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries.
The FBI also reported that the worldwide loss to this type of scam from 2013 to 2018 was over $12 billion.
What is Business Email Compromise?
Business email compromise is a scam in which a cyberthief compromises legitimate business email accounts in order to trick recipients into doing something they shouldn’t. Often the compromised accounts are used to request that an unsuspecting target wire funds to a seemingly legitimate account. In some cases, business email compromise attacks target personal information or forms containing personal information, such as W-2s, that can be used in identity theft.
There are several different ways that scammers perpetrate business email compromise attacks. Sometimes they use an email address that’s deceptively similar to a legitimate email address – for example “Joe@acme_company.com” instead of “Joe@acme-company.com,” posing as a company executive or supplier. If the recipient isn’t sufficiently careful, they might not notice that there’s something just a bit off about the email address.
In other cases, the cyberthief may compromise a corporate email account via malware, or steal email credentials via a spear-phishing attack on a specific individual, such as the CEO or someone in the finance department. The attacker will then send an email from the compromised account instructing the finance department to transfer funds to a particular account, perhaps waiting until the employee in question is away on business or some other opportune moment. The scammer may even use an account at a bank to which the company regularly makes such transfers, with a similar, but not identical, account number.
How to Prevent Business Email Compromise
The key to most business email compromise attacks is trust. Employees are accustomed to receiving and following directives from management and have little incentive to question these directives. Yet, the key to protecting your organization from constantly evolving, highly-effective social engineering attacks, including business email compromise, lies in the Zero Trust precept to “trust no one, verify everything.” With that in mind, here are a few different ways you can apply a Zero Trust approach to protection from BECs:
- Require in-person or telephone verification of any requests to transfer funds – don’t transfer funds based on an email request alone.
N.B. When verifying transfer requests by phone, use known phone numbers, not phone numbers that appear in the email.
- Use dedicated tools to identify potentially fraudulent requests, such as flagging emails sent from an account that’s similar but not identical to the company email format, or where the email “reply to” address is different than the “from” address.
- Use technology such as Zero Trust Browsing to automatically detect and block phishing sites or have them open in read-only mode, so they cannot be used to harvest email and other credentials.
- Require multifactor authorization to change the account number of an existing client.
- Provide awareness training to individuals with wire transfer authority, so that they know how to look out for anything unusual or suspicious.
What if You’re a BEC Victim?
If you’ve already wired money to a scammer and just realized your mistake, don’t despair – there may be things you can do to get your money back. Verizon’s 2019 data breach report indicated that half of all US-based business email compromise cases ended up with 99% of the misdirected funds being returned; only 9% of compromised companies weren’t able to get any money back.
If you’ve been victimized by a BEC scam, quick action can help you get some or all of your money back. The first thing to do is notify your financial institution about what happened and ask them to contact the financial institution to which the fraudulent transaction was paid. You should also call the nearest FBI office, and report the crime or attempted crime to the FBI’s Internet Crime Complaint Center (IC3).
Business email compromise is an increasingly common type of scam. Fortunately, there are steps you can take to help your employees identify scamming attempts, and technology you can leverage to reduce the chances that a scam will succeed.
Read more: Download our free white paper to learn how to prevent social engineering attacks such as phishing, BEC and credential theft from hurting your business.