06 Jul What is Business Email Compromise and Why is it Costing Businesses so much Money?
According to the FBI, business email compromise (BEC) scams are the most damaging and effective type of cyber crime, accounting for over $1.77 billion in losses in 2019.
Last year, the FBI’s Internet Crime Complaint Center (IC3) received 23,775 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints. BEC/EAC is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
BEC/EAC is constantly evolving as scammers become more sophisticated. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.
Often accounts are compromised for weeks or months until the scammer has enough information to craft a successful scam. Over time they may gain access to multiple communication channels such as email, company chat, or a collaboration tool.
In 2019, the IC3 observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.
Q1 2020 has shown significant increases and opportunistic changes in fraudulent activity due to covid-19 and the increase in remote workers. The scams continue to shift as social changes expose opportunities for fraud.
According to the quarterly report from Abnormal Security, an email security company. They reported a shift in 2020 from individual to group BEC attacks, indicating that campaigns with more than 10 recipients were up 27% compared to Q4 2019. Attackers also adjusted their targets, with attacks on finance employees increasing more than 75% as attacks on C-Suite executives decreased by 37%. This illustrates a trend away from paycheck and engagement fraud and toward payment fraud, specifically invoice fraud attacks, which increased more than 75%.
Bolster, an internet security company that builds artificial intelligence and machine learning technology reports nearly a four-fold increase in phishing sites between January and March of 2020.
The IC3 provides the following guidance to avoid becoming a BEC Victim:
- Employees should be educated about and alert to this scheme. Training should include preventative strategies and reactive measures in case they are victimized. Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII in response to any emails.
- Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
- Ensure that all Operating Systems and third party software solutions are fully patched on a regular basis.
- Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders email address appears to match who it is coming from.
- Ensure settings of employees’ computers are enabled to allow full email extensions to be viewed.
- Never make any payment changes without verifying with the intended recipient; verify email addresses are accurate when checking mail on a cell phone or other mobile device.
Additional recommendations from NPI:
- If a request seems unusual confirm the request verbally. If you use the same communication channel from which you received the request the scammer may be the one responding to your confirmation. They may have access to multiple communication channels within your organization.
- Since employee action or inaction is linked to the bulk of cyber events implement a cyber training and testing program. NPI has self-managed as well as comprehensive training and testing programs that also simulate phishing attacks.
- Executives need to be fully compliant with company security protocols as their financial and operational authority is usually leveraged as an integral part of the scam.
- A higher number of installed applications increases the attack surface so uninstall applications that are no longer needed.
- Remove administrative rights from accounts used for web browsing or email.
- Enable multi-factor authentication (MFA) on all sensitive applications.
- Configure your email server to add “external” and “internal” banners to all email.
If you have a fraudulent loss:
- Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity.
- As soon as possible, file a complaint regardless of the amount with www.ic3.gov or, for BEC/EAC victims, BEC.IC3.gov. It is vital the complaint contain all required data in provided fields, including banking information.
In the coming years we will see machine learning and artificial intelligence strongly leveraged in these attacks and they will continue to grow in sophistication. The race between scammers and security technology continues as companies work to control and mitigate risk. Fortunately employees are becoming more sophisticated in watching for anomalous messages and requests but they are still being taken in by scams.
Ongoing training encourages all employees to become an integral part of protecting the business from sophisticated scams such as business email compromise.
Visit www.ic3.gov for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).