BEC Scams, the low-down: Would you knowingly transfer money from your company to a criminal or criminal group…
Of course not, right? Well I’m sure the majority – if not all of you – said no. While this may be true, would it surprise you to discover that according to a recent report by the Association for Financial Professionals, 77 percent of organisations in the USA had money moved from their accounts in 2017. 54 percent of the scams were bank wire transfers, while 34 percent relied on victims signing over cheques to attackers. In none of these incidents did anyone intentionally handed over their businesses money to criminals, instead they were tricked; tricked by none other than the rapidly expanding Business Email Compromise (BEC) scam.
BEC scams, in their most rudimentary form, rely on executives – usually Chief Executive Officers or Chief Financial Officers, getting tricked via social engineering or phishing into carrying out fake wire transfers. Attackers usually impersonate other high-level executives and business contacts in order to deceive victims.
According to an International Business Times report, Southern Oregon University lost $1.9 million in a BEC scheme. The money was intended to pay a contractor for his work on the university’s McNeal Pavilion and Student Recreation Centre. Fraudsters posing as the contractor used a fraudulent email account to trick an employee into wiring the funds to their account.
The FBI said earlier this year that BEC scams in 2017 resulted in a loss of $675M, a big jump from the year prior, when they were responsible for a loss of $360M.
According to a Feb 2017 alert from the FBI, here are two of the online tools BEC attackers use to target their victims:
Spoofing email accounts and websites: Slight variations on legitimate addresses (firstname.lastname@example.org vs. email@example.com) fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct email responses to a different account that they control. The victim thinks he is corresponding with his CEO, but that is not the case.
Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators
Indicators of BEC spam emails
Poorly crafted emails with spelling and grammar mistakes, that include a note indicating the email was sent from a mobile device (e.g. iPhone, iPad, Android, etc.) in order to convince the recipient the mistakes can be ignored.
The wrong or an abbreviated signature line for the supposed sender.
The use of full names instead of nicknames and a language structure may not match how the supposed sender normally communicates.
That the only way to contact the sender is through email. In some cases, the emails appear to be timed to correspond with times the senior official is out of the office.
The transactions are for a new vendor or new contract.
Internal warning banners that indicate the email is spam, spoofed, or from an external source.
How to guard against BEC scams
Craft a policy for identifying and reporting BEC and similar phishing email scams.
Make sure to include the following:
When receiving unusual financial or sensitive data requests, users should verify the identity and authority of the email sender via standard (non-email) channels.
Users should hover to discover, to ensure that the email is going to the correct person. The true recipient of an email can often be verified by hovering the mouse over the address in the email header.
Users should reply by forwarding, and not by hitting the “reply” button, which helps to prevent successful spoofing attacks.
Users should report suspicious emails to security staff.
Train all executive staff as well as employees in the finance and human resource departments to identify potential BEC scam emails and follow the suspicious email policy.
Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IP’s at your firewall.
Flag emails from external sources with a warning banner.
Report BEC scams. Tax-related suspicious emails should be reported to the relevant tax authority.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our FREE Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.