We’ve all received an email that seemed a little suspicious or made an unusual request for financial or personal information. Most consumers know to delete these emails right away because they’re likely a scam. But what if you received an email from your CEO or CFO, and it sounded just like them? What if they asked you do something you were expecting to do anyway—such as pay a bill? What if they mentioned their children’s names and other personal details?
Welcome to the new world of Business Email Compromise (BEC). In this growing form of cybercrime, fraudsters impersonate a business email—usually someone in an executive position—and then contact an employee to ask for a wire transfer or employee information. These phishing scams increased an astounding 2,370% between 2015 and 2016, and caused $5.3 billion in losses, according to the FBI.
“The group at largest risk are small-to medium-size businesses (SMBs),” says Cary Scardina, a supervisory special agent with the Federal Bureau of Investigation’s Cyber Division in Washington, D.C. “I’ve seen small businesses get hit with losses from $45,000 to several million; it can be devastating, depending on the size of the company.” Fortunately, there are steps businesses can take to reduce their risk of becoming a BEC victim—and the work starts with simply being aware.
When Scardina describes BEC, he narrows the crime down to one word: Impersonation. At the core of the scam, cybercriminals are simply impersonating an employee’s boss or company finance executive. “But it’s now of a higher quality than in years past,” Scardina says.
These are not emails from far-away royalty who need your employees’ help. Instead, BEC fraudsters are hacking into employee email accounts and then conducting sophisticated surveillance, sometimes for weeks or more. The attacker will track email traffic to learn how a person talks, how wire transfers and other requests are made—even what nicknames employees might use for each other.
When it comes time to conduct the actual crime, a fraudulent email may come from either an authentic or spoofed account. With a spoofed account the domain is slightly off. For example, a business name may contain an extra letter or an email might add a period between the first and last name. The attackers then ask the recipient to make a wire transfer payment—and include instructions for how to do so.
Increasingly, the cybercriminals are phishing for company W-2 information, which they use to file fraudulent tax returns. The IRS noted that more than 200 companies—which translates to hundreds of thousands of employees—were compromised by such scams last year.
Scardina says that SMBs are prime candidates for business email compromise wire transfer and W-2 email fraud. “That’s where you can have the intersection of high-dollar amounts and lower IT security,” he says. The real estate industry has witnessed much of the BEC activity, largely because of the transactions realtors and others involved are conducting. But the criminals aren’t picky.
Scardina has also seen medical offices, law firms and even pig farms targeted by these spoofed email schemes. In many cases, the companies don’t catch the fraudulent transfer for a few days. These issues are time-sensitive: And by then, it can be hard to reverse the transfer or trace the money before it is broken up and divided into multiple overseas accounts.
So how do you keep your SMB safe from BEC scams? As with many things, the best defense is a good offense. Scardina and the FBI offered the following guidance for reducing your risk of becoming a BEC victim:
1. Verify money transfer requests.
Institute a company policy that requires employees to verify requests for wire transfers—ideally with a phone call authentication. This is especially vital if the transfer request is deemed urgent by the email sender, Scardina says. In addition, advise employees to not discuss the details of wire transfers or bank accounts over email and to confirm any changes in the process with the bank or vendor.
2. Implement detection systems.
Task your IT team with creating a system that flags emails from domains that are similar to your own and could be used to create a look-alike domain. Other helpful tips include adding a rule in your email account that automatically flags emails in which the reply address is different from the “from” address. Also, be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB) application.
3. Educate your employees.
Execute some social engineering, and ensure that your employees are aware of BEC warning signs. Red flags that an email may be fraudulent include: Any email that provides wire information or requests changes to existing information, requests for expedited payments, asks for W-2 information. “Flagging these should just be automatic,” Scardina says. “Employers should have a policy for how to do so.”
If you do suspect you’ve been a victim of BEC, Scardina says the first thing to do is to call the financial institution that sent the wire. In some cases, the bank can initiate a recall of the funds. Then call the FBI and file a report at IC3.gov. That way the FBI can track the details of your case. Lastly, have your employees change their passwords to their email and any other company networks.
4. Adopt a passphrase.
Using longer passwords and changing them on a regular basis seems like a given. But, the traditional standards for passwords encourage people to use a single, difficult to remember password across all of their accounts. Great news! New research shows that rather than having a complicated mixture of special characters, numerals and capitalizations, using a passphrase is more secure and easer to remember. Longer passwords containing multiple upper and lower-case words are more secure. Consider choosing something relevant to you (like a book title) that wouldn’t be public knowledge. This lightens the “memory burden” on users, making them more inclined to follow this security best practice.
Change your passphrases on a regular basis. The new version can be similar to the previous phrase, for example from “thesunalsorisesinJAN” to “thesunalsorisesinFEB.”
Business email compromise remains on the rise—and the cyber criminals are only getting smarter. Take these precautions to educate your employees against threats and prevent your business from losing time, money and more to an email scam.
Business email compromise scams are on the rise, costing $5.3 billion in losses since 2013. To reduce your risk: