Workplace Safety > Business Email Compromise

Workplace Safety Business Email Compromise Workplace Safety


Business Email Compromise (BEC) is an emerging cyber threat that targets businesses, government entities and other organizations in Florida and across the country. Every year, companies lose millions of dollars to BEC scammers who use deception and social engineering techniques to convince employees to wire large sums of money to bank accounts controlled by criminals. According to the FBI, BEC scams have increased 1,300% since January 2015, with identified losses topping $3 billion.

BEC is a complex and multifaceted scam, often carried out by transnational organized crime groups that may employ linguists, lawyers, hackers and experienced social engineers. Unsuspecting employees, usually working in the finance department, are tricked into wiring money to the perpetrators, usually in response to fraudulent invoices or fake requests for funding by their employer.

Business Email Compromise schemes can vary between groups and may be tailored to the company that is being scammed, but often share similar planning and characteristics:
 
  1. The organized crime group selects a business to target and begins reconnaissance. This may include exploiting publicly available information they find online, such as net worth, employee listings and executive profiles.
  2. In some cases, the bad actors will employ a phishing email campaign, usually directed at employees in the finance or accounting departments, to attempt to gain access to the network. They may call these departments in an effort to establish communication with employees that have access to company funds in an effort to manipulate and deceive. This grooming activity may take place over days or weeks.
  3. In other cases, they may create fake email addresses that look like legitimate business emails from within the company or from other businesses that have dealings with the target company.
  4. Through deception and/or grooming, the targeted victim is convinced that he/she is conducting a legitimate business transaction with the bad actors. The perpetrators then make a request for money and provide information on where to wire the funds.
 
The unsuspecting victim wires the money as instructed and the money is steered towards accounts controlled by the organized crime group. From this point, if the fraud hasn’t been identified, the perpetrators may try to groom the victim into sending more money.
 
It is important to keep in mind that if the scam is not exposed quickly, it may be difficult or impossible to recover any losses. These scams can be complex and employ many convincing actors to make a request seem legitimate. There are several steps you can take to spot a BEC scam before it’s too late:
 
  • Carefully scrutinize all email requests for funds transfers to determine if the requests are out of the ordinary. Compare invoices to verify that goods and services were actually rendered.
  • Set up your email server to display a warning on incoming email messages when the sender is external to your network.
  • Create intrusion detection rules that flag emails with extensions that are similar to company email. (For example, a legitimate email address of abccompany.com vs the fraudulent abc-company.com.)
  • Verify changes in vendor payment location by contacting the vendor by phone or official email address (for vendors you have done business with previously) and verifying.
  • Do not only rely on email to make contact with management or vendors. Diversify the way that you communicate.
  • Add an extra factor of authentication by having a secondary sign-off by other company personnel on all monetary transactions.
  • Provide social engineering awareness training to personnel.
 
BEC scams have proven to be very lucrative to criminals and it is likely that they will continue to pose a threat. By staying aware of the ways that criminals exploit and deceive, as well as using technology to spot suspicious communications, you can protect your business against this scam and others.