You are here

Business Email Compromise On The Rise – Plan To Be Attacked

 

Business email compromise is significantly impacting businesses in Manufacturing, Distributing and Retail. Did you know? And more importantly—are you ready?

Business email compromise (BEC) is the criminal use of email to misdirect any kind of payment by impersonating a legitimate individual or business. The FBI reported over $12 billion in potential losses domestically and internationally from October 2013 to May 2018 from email compromise fraud.[1] Between 2016 and 2018 alone, the number of BEC incidents has more than doubled, as reported in a Suspicious Activity Report (SAR).

WHO’S AT RISK FOR EMAIL ATTACKS?

BEC schemes target organizations that:

  • Routinely conduct large wire transfers
  • Use email to communicate regarding the wires
  • Engage in automated clearing house transfers or gift cards
    • Recently convertible virtual currency has been added to the list

The Financial Crimes Enforcement Network (FinCEN) Financial Trend Analysis shows that fraudulent vendor or client invoices now account for 39% of BEC frauds compared to 2017, when 33% of BEC fraud was through compromised email accounts of executives. The bad actors used techniques called computer intrusions (specialized malware), social engineering (spear phishing or spoofed emails), and sending an email that fraudulently directs funds to criminal-controlled accounts to conduct these attacks.

2018 BEC SCAM METHODS BY THE NUMBERS

  • Fraudulent vendor/client invoices increased to 39% in 2018, up from 30% in 2017
  • Impersonating CEO declined from 33% in 2017 to 12% in 2018
  • Impersonating an outside entity made up 20% in 2018

 BEC FACTS

  • Fraudulent vendor/client invoices increased to 39% in 2018, up from 30% in 2017
  • Impersonating CEO declined from 33% in 2017 to 12% in 2018
  • Impersonating an outside entity made up 20% in 2018

WHAT CAN YOU DO TO INCREASE EMAIL PROTECTION?

Establishing a strong system of payment transfer controls can greatly reduce your risk of being compromised and enhance cybersecurity. Here are 10 key tips to get started:

1. Create a Payment Method Identification System

Start by inventorying the methods in which funds leave your business.

2. Create/Enhance Your Policies

Ensure internal policies/procedures address each payment method. This should include identifying who in the organization is responsible for controls over that function and describing control procedures.

3. Identify and Address Gaps

Have documented procedures to follow for verifying wire requests and payment account accuracy. Review documented procedures and identify/remediate process gaps.

4. Separate Payments Entry From Vendor Management

Centralize payments to a limited group that is separate from the vendor management function. Vendor management personnel should have access to change vendor contact and payment information, while payment personnel should only remit payment to vendor information that is already on file. Any vendor-requested changes should go through the vendor management personnel to investigate and verify with the vendor contacts on record that such change requests are legitimate.

5. Pick Up the Phone

Verify all requested changes in payment method or location (account), whether received by email or a phone call. Call the requesting party directly using contact information that is already on file to confirm the change request is legitimate. 

6. Separate Payment Entry Request and Approval

Payments should have dual control before remittance. Separate responsibility for requesting a wire payment and authorizing said payment.

7. Establish Routines of Payment Methods and Frequency for Significant Vendors

Payment personnel should review the payment request compared to known routines. Be suspicious of requests that appear off schedule.

8. Use Email Spam Filters

Although not as effective for spear phishing compromises, use email spam filters to potentially identify spoofed or fraudulent emails.

9. Enhance Vendor Contract Language

Add language to significant vendor contracts identifying the only acceptable methods of communication and payment information, and how changes are to be communicated.

10. Create Security Awareness and Training Programs

Train all your employees clearly and repeatedly on BEC frauds and the evolution of the methods to commit such fraud. Some of the more common email threats are[2]:

  • Bogus Invoice – The fraudster will request to wire funds to an alternate, fraudulent account.
  • Executive Scam – The fraudster spoofs an email impersonation from a high-level executive who claims to be handling a confidential or time-sensitive matter that requires an urgent, immediate wire transfer to a bank.
  • Account Compromise – The email account of an employee is hacked and messages are sent to vendors from the employee’s contact list requesting payment to a fraudster-controlled bank account.
  • Attorney Impersonation – The fraudster contacts employees of a company and identifies themselves as a lawyer who is working on a confidential or time sensitive matter where the employee is told to act quickly and secretly in the handling of the funds. This is usually done at the end of the day or week, when an employee is ready to leave the office and is vulnerable to panic.
  • Data Theft – Compromise of Human Resource employees’ emails that are used to obtain personally identifiable information about employees or executives, which is then used for more damaging BEC attacks against the company.

[1] FinCEN Advisory FIN-2019-A005, July 16, 2019

[2]https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes