The Rise of Business Email Compromise Scams
Business Email Compromise – or BEC – is an increasingly common scam targeting U.S. and European companies that is often carried out by criminal organizations. In most cases, attackers from these organizations target employees who have access to company finances or W-2 information with the intention of tricking them into transferring money or sending data records. The deceptive techniques used to target and exploit victims vary from spear phishing and social engineering to email spoofing and computer intrusion techniques (malware).
The FBI 2017 Internet Crime report highlights growing trends in cybercrime that were seen last year. BEC – or “CEO Fraud” – led the pack in 2018, topping $676 million in victim losses. Since 2015, there’s been a staggering 1,300% growth in losses as a result in the spike in these frauds, now totaling over $3.0 billion in the past three years alone. BEC is a serious threat on a global scale that’s expected to continue to rise with the increased reliance on business email.
Anatomy of the Scam
A BEC scam can take on various forms. One common scheme, called CEO impersonation, attempts to persuade a target into wiring money for apparent business purposes. This scheme usually begins with the attacker compromising the CEO of the target company’s email account through a phishing or malware attack. After spending some time monitoring email communications to carefully understand the company’s vendor relationships as well as the CEO’s interests, email communication style and travel plans, the target is then chosen.
Employees from Finance or Accounts Payable – or even the Controller – are often primary scam targets. At the appropriate time, the attacker sends a phony email to the selected target from either the CEO’s inbox or a lookalike domain name (which is usually one or two letters off from the company’s true domain name). The email typically requests an immediate wire transfer to the attacker’s account, whose account number has been modified and disguised as that of a trusted vendor. Unless the scheme is detected in a timely manner, any transferred money is often difficult to recover.
Don’t Fall Victim
Schneider Downs recommends any number of the following procedures to help your organization develop its own effective defensive strategy against BEC and other email cyberattacks:
- Establish and enforce proper procedures and policies.
- Trust But Verify
- Scrutinize emails containing requests for wire transfers and W-2 information.
- Create email rules to flag emails where "reply" and "from" email addresses do not match.
- Promote user awareness regularly beginning at employee onboarding.
- Incorporate checks and balances as compensating controls
- Call previously known phone numbers to confirm transfer requests.
- Be a change agent (see something, say something!).
- Conduct simulated email cyberattacks among company employees.