Beware: Business Email Compromises are on the Rise

There are many forms of fraud in the world today, yet email continues to prove itself as the most inexpensive and popular method for distributing fraudulent messages to potential victims. Studies show that approximately 90% of all email sent worldwide are spam, spoofing or phishing attempts.

Business Email Compromise (BEC) is a sophisticated form of email spoofing used by attackers to target businesses that work with foreign suppliers or that regularly perform wire transfer payments. These types of scams involve the attacker pretending to be you by sending other people fake emails from your email address. These emails appear to be genuine and since the corporate email domain is being spoofed, it makes it hard for email filters to identify the bogus email as malicious.

What’s different about this email spoofing scam is that the attacker attempts and succeeds to send an email from a verified email address from your organization—usually a senior member of the staff such as a CEO, CFO, etc.—to a financial controller within your business. The details of the email, which often include official company email templates, logos and email signatures, explain the requirement for an urgent bank transfer to be carried out to external bank accounts for various seemingly legitimate reasons.

According to the FBI, between October 2013 and August 2015, business email compromise affected 7,066 US businesses, netting criminals an estimated $747 million. Fraudsters use the method most commonly associated with their victim’s normal business practices. Most victims reported using wire transfers as a common method of transferring funds for business purposes. However, some victims reported using checks as a common method of payment.

In case you receive any emails which you do not expect, please DO NOT open or execute any attached files. All email requests for a transfer of funds should be carefully scrutinized to determine if they are out of the ordinary. It is also recommended that organizations always confirm requests for transfer of funds, along with using some form of two-factor authentication for approval of transfers, such as having a secondary sign-off person. It is also helpful to register all company domains that are slightly different than the actual company domain to help minimize spoofing attempts.

If funds are transferred to a fraudulent account, it is important to act quickly. Contact your financial institution immediately upon discovering the fraudulent transfer, along with your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds. You can also file a complaint, regardless of dollar loss, with www.IC3.gov.

Educating your employees to the threats that exist are an important part of securing your business from these form of cyber incidents. Contact MA Polce Consulting today to learn how Security Awareness Training can benefit your security posture.