Alvin Mills

Alvin Mills
VP of Information, Technology & Security

Business email compromise is a growing trend

Scammers will often try to compromise an email by tricking a user into supplying email login credentials to a fake website.

Business email compromise is a sophisticated scam that targets both businesses and individuals that transact legitimate transfer of funds requests. The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.

Why are BEC cybercrime losses growing?

According to the FBI, between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. Why? Because there is a greater awareness of the crime, so more losses are being reported.

Working in the financial services industry we may see things a little differently. Just when we start experiencing success in combating ransomware attacks, our banking industry is seeing a sharp increase in fraud events, mainly BEC events.

Of claims filed by commercial banks, 2% were attributed to ransomware, while 60% were attributed to fraud. This is a sharp contrast to other industries that reported 29% ransomware and 9% fraud events.

In July 2019, the Treasury Department reported an average of 1,100 businesses were scammed each month at a cost of more that $300 million a month to U.S companies.

The Rise of BEC

The most prevalent attacks I continue to see are CEO fraud. The scheme starts with attackers stealing the email credentials of, or attempting to spoof, top executives through phishing or other methods. Then they impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. In other cases, the attackers spoof a company’s business partner.

But the attacks are ever-changing and evolving. The attackers are getting better with their impersonations. Spoofed emails used to be easy to spot due to content that contained broken English. They aren’t as easy to spot now, as they are doing their homework.

Other BEC scams include:

  • Vendors requesting their payments be sent to another bank account.
  • Employees requesting their paycheck be deposited into another bank account.
  • Boss or charity figure asking for gift cards on his/her behalf.

Protect your organization

Here are a few simple steps to take:

  • Flag external emails. Ensure that external emails received through company addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees. Remind employees, especially at the executive level, to not conduct company business with personal email accounts.
  • Use two-factor authentication. Scammers will often try to compromise an email by tricking a user into supplying email login credentials to a fake website. These credentials will then be used to log in to the account and send out BEC content to your contacts.
  • Implement a two-step process for payments. Secure company funds with at least a two-step verification process for all wire transfers and transactions. Creating an approval process protects you from external and internal fraud attempts.
  • Always verify invoices before payment. Train your employees to always pick up the phone to verify an invoice before paying it. It only takes a few minutes of time.
  • Educate your employees. If your employees are aware of what to look for and are routinely reminded of the warning signs of a business email compromise, they will be more likely to recognize bogus emails.