As the world continues to become more reliant on digital means of communication, payment, storage, etc., it is important to keep up-to-date with the best practices for reducing areas of exposure and risk. This article will focus on one of the newest threats in cyber fraud and provide some useful tips to prevent exposure from this attack and others.
The Business Email Compromise
Since 2013, the Federal Bureau of Investigation (FBI) has been tracking what are commonly referred to as “business email compromise,” or BEC, scams. BEC scams target both large and small companies in the United States and more than 100 countries around the world. The FBI’s Internet Crime Complaint Center estimates that these scams have already created losses totaling over $3 billion.
While most are familiar with the traditional email scam with a random request for money from an unknown email address, BEC scams are very sophisticated cyber-attacks that are much more difficult to detect. With a BEC scam, also referred to as CEO impersonation, criminals typically gain access to a company’s network and then spend weeks or even months monitoring the company’s billing systems, typical clients/vendors, and the employees’ communication style to allow them to best scam an unsuspecting victim.
After gathering this information, the criminal will then send an email (potentially from an actual employee email address or a fake account that is very similar to an employee’s account, such as firstname.lastname@example.org instead of email@example.com) requesting an immediate wire transfer to the criminal’s account. Given the criminal’s familiarity with the prior emails, they usually make specific references to earlier communications with the unsuspecting victim to make the request seem more genuine. If the victim initiates the transfer, it is imperative that they act quickly to attempt to recover the transferred funds.
How to Avoid and/or Deal with a BEC scam?
Given that these scams began only a few years ago, courts are in the process of creating precedent for handling them. Thus, there is minimal case law to provide guidance to victims. Therefore, it is best to institute safeguards to prevent these scams from occurring in the first place.
Below are some methods that the FBI has recommended as potential safeguards against BEC scams:
- Confirm all requests for transfers of funds by using a phone verification as a part of two-factor authentication; call the person that is requesting the transfer using a previously used phone number. TIP: Do not just respond to the email request as that account will likely be monitored or operated by the criminal. Use the phone as an alternate means of communication for confirmation.
- Verify all changes in vendor payment locations by requiring a secondary sign-off from company personnel.
- Implement e-mail rules that flag emails where the “reply” email address is different than the “from” email address, and when the extension is different from the legitimate address (legitimate email of FBI.gov would flag a fraudulent email from FEI.gov)
Tips to Improve Cybersecurity
While you will hopefully never encounter a BEC scam, you are exposed to various cybersecurity threats every day. Below are some useful tips that will help ensure that you are doing your best to secure your business/personal information.
Tip #1 – Protect
Protect against viruses, malware, spyware, etc. Make sure that your computers are equipped with antivirus software that is routinely updated to best protect against new threats.
Tip #2 – Secure
Secure your networks. Utilize firewalls and encryption to protect your network.
Tip #3 – Educate
Establish security practices and educate your employees on them. Create cybersecurity policies that deal with issues such as how employees handle personally identifiable information and sensitive data. This includes their personal cell phones if they have access to work emails and data on their phones.
Tip #4 – Backup
Routinely backup copies of all important business data and information and update your device’s software. Secure your devices and never leave them unattended. Physically lock-up all phones, laptops or tablets if they are not being used so as to prevent them from being lost or stolen. Make sure that all devices, including USB flash drives, have some form of encryption so that if they are lost or stolen, the information is protected.
This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.