Business email compromise (BEC) is one of the most financially
devastating online schemes which has exploded in frequency over
the past decade. BEC exploits the simple fact that so many of us
utilize email daily.
BEC schemes begin when cybercriminals gain access to an
employee’s legitimate business email account through social
engineering or computer intrusion. Alternatively, the fraudster
may emulate a legitimate email account with an unrelated account
created specifically for nefarious purposes. The bad actor sends an
email to a specific target (typically a high-ranking employee who
frequently receives payment requests), which appears to come from
a legitimate source. Some examples include -
- A supplier your company regularly works with provides invoices
with updated wiring instructions.
- A CEO asks her assistant to purchase a large sum of gift cards to
provide to employees as rewards. She requests the serial numbers
be provided immediately.
- A prospective homebuyer receives a message from his mortgage
company with instructions on where to wire down payment funds.
According to the FBI, between June 2016 and December 2021, this
scheme was replicated over 240,000 times for a total exposure
amount of $43B. Sadly, in many cases once the scheme is discovered
days or weeks later, the chances of recovery may be slim to none.
The following tips can help businesses and employees avoid
business email compromise schemes:
- Educate your employees. A strong security program paired with
employee education about the warning signs, safe practices, and
responses to a suspected takeover are essential to protecting
your company and customers.
- Do not trust emails with payment instructions. Verify payment and
purchase requests in person if possible or by calling the sender at
known legitimate phone number to ensure request validity. Verify
any change in account number or payment procedures directly
with the person making the request.
- Set up multi-factor authentication on any account that allows it,
and never disable this feature.
- Protect your online environment. It is important to protect your
cyber environment just as you would your cash, sensitive
documents, and physical location. Do not use unprotected
internet connections. Encrypt sensitive data and keep updated
virus protections on your computer. Use complex passwords and
change them regularly.
- Be wary of sudden changes in business practices or contacts. If
an employee, customer or vendor suddenly asks to be contacted
via their personal e-mail address, verify the request through
known, official and previously used correspondence as the
request could be fraudulent.
- Be wary of requests marked “urgent” or “confidential.” Fraudsters
will often instill a sense of urgency, fear, or secrecy to compel the
employee to facilitate the request without consulting others.
- Implement robust internal approval procedures for vetting account
change requests to prevent potential financial losses.
- Partner with your bank to prevent unauthorized transactions.
Talk to your banker about programs that mitigate fraud such as
call-backs, device authentication, and multi-person approval
processes.
CNB offers a variety of banking solutions to help mitigate fraud
threats and greatly reduce your chances of becoming the latest
victim in an already challenging world. Be sure to follow us on social
media to stay up to date on emerging trends and threats.
Visit CNBank.com/Security for current fraud articles and resources.