Business Email Compromise is major threat to companies
posted by Stephan Thomasee on Wednesday, October 23, 2019 in SHAZAM Blog
The FBI’s Internet Crime Complaint Center 2018 Report listed losses of $1.2 billion due to business email compromise, a number which is most likely higher because businesses often don’t report this crime due to embarrassment. Regardless of the final number, it’s obvious this type of attack remains a significant source of revenue for scammers and loss for businesses.
What is business email compromise?
Business email compromise, also known as CEO impersonation, occurs when an attacker uses business email to leverage a social engineering attack. Bad guys may compromise credentials to take over a company email account and send messages to others in the organization or spoof a user’s email address making it look like the message is coming from another member of the organization.
Often, the scammer will pretend to be the company CEO, CFO or other high-ranking leader. Their fake message asks a subordinate to perform a high priority task involving funds. It could be sending a money order to a third-party account, buying and sending gift cards, or rerouting a payment to a different recipient. The message may also ask the victim to send confidential data, such as payroll information, W-2 forms, health data or account information. The data is then used to facilitate identity theft, or refund fraud with the Internal Revenue Service.
These types of attacks usually have common themes. The message contains an element of urgency, asking the victim to take care of it right away to avoid negative consequences, such as losing a contract or client. It may also include a (fake) reason why the sender can’t use the regular processes to perform the task — they’re out of the office, visiting a vendor, or at a conference. The urgent tone convinces the victim they can’t contact the sender through regular channels, only by replying to the scam email.
If the victim follows the scammer’s instructions, and sends the funds or data, the attacker will act quickly. The money will be transferred to another account or withdrawn using money mules. Before the victim realizes it was fraud and tries to reverse the transaction, the funds are gone. In many cases, it’s sent to overseas accounts and out of reach of any retrieval process.
How can you protect your institution from business email compromise?
- Put processes in place to double-check any transfers of funds. Don’t allow a perception of urgency to bypass safeguards. Create and follow a process that requires two-person verification of any funds transfer.
- Implement a process requiring a face-to-face conversation for any urgent request for funds.
- Train your employees to recognize this type of attack. The language of the email may seem strange, out of character, or contain obvious clues that it’s a scam.
- Check the email address. When an email address is spoofed, it may look legitimate. Hover over the address to confirm if it’s legitimate or from another email provider. Check for characters in the address that look correct but are different. For instance, a W may be represented with two Vs, as in Kvvill@company.com, instead of Kwill@company.com.
- Confirm any such request through a channel other than email. Call the sender at a phone number you have on file. If you receive a notification saying the sender is not available, use whatever method is necessary to double-check. It’s better to apologize for the inconvenience of a phone call, than to facilitate a loss.
Follow these commonsense steps and help your company avoid losses to criminals who are consistently utilizing this attack strategy because, unfortunately, it works.
SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.
comments powered by