In
2016, the FBI released a public service announcement warning that “business
email compromise (BEC) scams have increased by 1,300% since 2015 and have cost
businesses more than $3 billion. Making it a significant threat that businesses
should be aware of to reduce the likelihood of becoming a victim.
What is BEC?
BEC is a
sophisticated scam that targets both small and large businesses that regularly perform
wire transfers and/or work with foreign suppliers. Fraudsters will send
employees compromising emails pretending to be senior executives with urgent
requests seeking sensitive information or requesting unauthorized transfers of
funds.
Five Scenarios of BEC:
- Business
working with a foreign supplier
- High-level
executive receiving or requesting a wire transfer
- Business
contacts receiving fraudulent correspondence through compromised e-mail
- Business
executive and attorney impersonation
- Data
theft
Common Characteristics of BEC:
- Fraudsters
target individuals responsible for handling wire transfers the organization
- Frequent
use of free domain registrars such as Gmail or Yahoo
- Fraudulent
emails mimic legitimate email request
- Impersonation
of a high-level executive
- Common
uses of the phrases “code to admin expenses” or “urgent wire transfer”
- Emails
that do not contain URLs, phone numbers, or attachments
Best Practices to Protect Your Organization
from a BEC Attack:
Businesses
should increase their awareness and understanding of BEC fraud among employees,
so their organizations are less likely to become victims. The following is a
list of self-protection best practices and strategies:
- Establish
a company domain name and utilize it for e-mail accounts instead of free,
web-based accounts.
- Be
cautious in regards to what is posted on social media and company websites,
specifically information regarding job duties/descriptions, hierarchal
information, and out of office details.
- Consider
additional security procedures, such as implementing a 2-step verification
process. For example:
- Establish
other communication channels, such as telephone calls, to verify important
transactions.
- Require
both entities to utilize digital signatures.
- Report
and delete any spam from unknown parties.
- DO
NOT open spam e-mail or click on any links or attachments.
- Beware
of any suspicious requests or abrupt changes in business practices.
- Register
company domains that may be just a little different than the actual company’s
domain.
- Verify
changes in vendor payment location by implementing a two-factor authentication such
as requiring a secondary sign-off.
- Thoroughly
review all e-mail requests for transfers of funds to determine if the requests legitimate.
For
additional information visit: www.justice.gov publication “Best Practices for
Victim Response and Reporting of Cyber Incidents”.
References:
- https://www.ic3.gov/media/2016/160614.aspx
- https://www.symantec.com/connect/blogs/business-em...