Businesses are under attack by Business Email Compromise (BEC). This efficient form of fraud has devastated countless companies, preying on those that frequently conduct wire transfers or who deal with foreign suppliers.
BEC attackers utilize advanced social engineering techniques to target unwitting victims. These clever devices allow scammers to build trust with employees who often work within financial departments. After conducting methodical research, the scammer will impersonate a company executive. Digitally disguised as a fellow employee, they will request money from their victims who will eagerly comply believing that they are just doing their job. The result is hundreds of thousands of dollars in lost revenue and a distraught employee.
Some examples of this scam include:
- Data Theft: This is a preliminary con that is directed at workers in the HR and bookkeeping departments. Fraudsters will request personally identifiable information or tax statements to glean material to track employees.
- The Bogus Invoice Scheme: This is a common scheme directed at enterprises that conduct business with external suppliers. The scammer will pretend that they are a supplier requesting a payment. The normal invoicing process is carried out and the payment is simply issued to the scammer’s account.
- CEO Fraud: This occurs when an attacker masquerades as a company executive or CEO. The fake CEO messages an employee and asks that funds be transferred to an attacker-owned account. This fraud is very well-organized and can involve the cybercriminal meticulously crafting responses that are spot-on with how the real CEO talks and types. This is a particularly sophisticated breed of attack.
- Account Compromise: This attack involves the hacking of an employee’s email account. Once access is gained, the criminal will send out phony invoices to vendors and direct the funds to illegal bank accounts.
- Attorney Impersonation: Similar to CEO Fraud, this style of scam leads employees to believe that they have been contacted by a law office. The fake attorney may claim that they have been recently included in a major company case. The issue is pressing and payment needs to be made immediately. Newly hired and inexperienced employees will comply with this demand without a second thought. That is why they are often the ones pursued by cyber crooks.
Awareness Is the Key to Battling BEC:
Awareness is the first step to prevention. One of the most glaring factors that all previous fraud sufferers have in common is a significant lack of awareness. With these attacks becoming increasingly more intelligent, it is easy to be duped.
Employee Awareness Program
Comprehensive alertness can be achieved through an employee awareness program. This program can be developed to help users recognize the key differences between legitimate and fraudulent forms of correspondence. It should emphasize the importance of remaining calm no matter the demand.
Cross-Referencing Sender Addresses
Before replying, employees should learn how to cross reference the email address used by the sender. Employees should check with the address is varied from the standard account that the person corresponds through. Sometimes the email address will look identical at first glance. When it is closely inspected, the address will be missing a letter or have another insignificant character visible.
Social Media Standards
BECs rely on the careful curating of employee details in order to function. The more a hacker knows about a worker, the easier it is to get into their head. Criminals will scour social media to build an exhaustive profile of every company worker. So advising employees to be weary of the amount of information they divulge online can help stop BEC scams before they start.
Secure Email Platform
Using a secure email platform is another way to maintain fortification. Using web-based email services can heighten the chance of experiencing many different kinds of attack. Having an official domain name and associated email address will keep hackers out and keep private information encrypted.
Flagging Threatening Keywords
Employees can filter out bogus emails by setting up a gateway that flags keywords that are implicative of a scam. For example, common inclusions in spurious subject lines are “secret”, “payment” and “urgent”.
Buying Related Domain Names
Another great way to reduce the risk of email spoofing is for a business to register multiple domain names that are similar to their own. With so many variants of the company name already taken, there are fewer options for fraudsters to get their hands on.
Regulations for HR
It is imperative for Human Resource management teams to stay alert when posting job advertisements. These posts often contain company information that can be harvested by scammers.
Incident Response Plan
Our final recommendation is to prepare an incident response plan. This is a carefully constructed set of guidelines to help your IT department detect, respond to and remedy both minor issues and full-scale attacks.
Start by producing a complete list of responsibilities that obligate staff when an incident occurs. Draft a continuity plan to ensure operations are up and running as fast as possible. Make a detailed list of all data recovery procedures that must be carried out. Train employees to understand and comply with the processes outlined in the plan. Creating a foolproof incident response plan can be achieved with the help of a trusted service provider.
Cyber crime has come a long way from the sloppy, poorly-written phishing emails we are all familiar with. Rather than casting out thousands of arbitrary messages and hoping for a bite, this new form of fraud is tailored to individuals. These criminals know who their victims are. They know where they go for coffee before work. They can customize responses that are seemingly authentic and not raise any concern.
This is the frightening reality that is threatening businesses every day, and they must prepare accordingly. Is your staff equipped to handle this new strain of highly intelligent scam?