Learn how your business can defend against cybercrime.Posted: October 1, 2015 Read more
Business Email Compromise Incidents Rise
By Joe Vitale, VP, Treasury Management
November 30, 2016
Of all the forms of cybercrime that affect companies today, business email compromise (BEC) has risen precipitously in recent months. According to the Federal Bureau of Investigation (FBI), from January 2015 to June 2016, there has been a 1,300 percent increase in actual and attempted fraud losses totaling $3.1 billion due to BEC, with U.S. businesses experiencing the majority of those losses.
BEC is a form of social engineering cybercrime where scammers use information they have gathered about a company to manipulate employees into transferring money into a fraudulent account.
There are five types of BEC:
- Data theft – The scammer obtains W-2 forms or a list of personally identifiable information (PII) and eventually uses those details to spoof or hack an executive’s email to request that an employee wire money.
- Business working with a foreign supplier – The scammer requests a payment to a fraudulent account in a telephone call, facsimile or email.
- Business executive receiving or initiating a request for a wire transfer – The email account of a high-level executive is compromised requesting another employee to transfer funds. Sometimes scammers make the request directly to a financial institution.
- Business contacts receiving fraudulent correspondence – Scammers hack an employee’s email account and send requests for invoice payments to multiple vendors from the employee’s contact list.
- Attorney impersonation – Scammers pose as legal representatives and claim to be handling confidential or time sensitive matters. Using the phone or email, they pressure their victim to quickly transfer money, usually contacting them at the end of a business day or work week and timed to coincide with the close of business of international financial institutions.
In a recent example, the Scoular Company, an Omaha-based commodities trading firm, lost $17.2 million when a scammer sent fraudulent emails in the CEO’s name to the controller, requesting wire transfers of funds. The emails referred to a potential Chinese acquisition, and the controller complied because his company was considering expansion into China. The emails were actually sent from scammers in Germany, France, Israel and Russia.
“BEC is a serious threat on a global scale,” says FBI Special Agent Maxwell Marker. The FBI believes that the scammers are members of organized crime groups from Africa, Eastern Europe and the Middle East. They target businesses across all sectors, from small and medium-size companies to large corporations, and target businesses that work with foreign suppliers or regularly perform wire transfer payments.
The scammers usually monitor their victims prior to carrying out the BEC scam. They identify the individuals and protocols necessary to perform wire transfers within a specific business environment. They also may first send “phishing” emails to victims requesting additional details about the business or targeted individuals.
“They have excellent tradecraft, and they do their homework,” Marker says. “They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud.” The FBI notes such emails are no longer easily identified by poor grammar or naïve-sounding scenarios, such as those used in past Nigeria lottery scams.
Adding to the severity of this crime, the scammers can use malware to access legitimate company emails about billing and invoices, applying company-specific details to their fraudulent requests for wire transfers.
Stop BEC before it happens
According to bankinfosecurity.com, BEC results from weaknesses in business processes more than it does from technological problems. Preventative steps taken at all levels can be highly effective in identifying and averting BEC attempts. The website recommends:
- Training employees—those on the front-line in particular—about BEC, especially about phishing scams.
- Holding requests for international wire transfers for an extended period of time.
- Verifying a wire transfer’s legitimacy before sending it.
It’s also a good idea to build a close working relationship with your bank. Make sure your bank knows your business and you know its typical banking practices, so that if something irregular happens, your bank can work with you to identify it as soon as possible.
The FBI suggests additional preventative steps, including:
- Establish a company domain name and use it for all company email accounts, rather than using free web-based email services. Register all company domains that are slightly different from the actual company domain as well.
- Be careful about what is posted to social media and company websites, especially regarding job duties, hierarchal information and out-of-office details. • Scrutinize all email requests for funds. Be suspicious of unusual requests, including those that emphasize secrecy or pressure the recipient to take quick action. • Use a two-step verification process to confirm money requests that may include a telephone call (using previously known numbers, not those in an email) and digital signatures on both ends of a transaction.
- Know the habits of your customers, including the details of, reasons behind and amount of payments.
Learn more about social engineering, including additional preventative steps, here.
What to do if your organization falls victim to a BEC crime
As the FBI’s Marker notes, “the window of time to identify the fraud and recover the funds before they are moved out of reach is extremely short.”The FBI recommends the following actions if you suspect your company has been the victim of a BEC crime:
- Call your financial institution and request that it contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local FBI office if the wire was recent. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, may be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, at www.IC3.gov
- Identify your incident as “BEC” and provide a description that includes the originating and recipient locations, bank names and account numbers; any intermediary bank information; the SWIFT number; the date and amount of the transaction; other details, including “For further credit” and “In favor of” designations.
Disclaimer: The information contained within this report has been obtained from sources deemed to be reliable; however, we do not guarantee its accuracy. You should make your own independent evaluation of the relevance and adequacy of the information contained in this material and make such other investigations as you deem necessary, including obtaining legal, financial and/or tax advice.