As technology becomes more sophisticated so do criminal attacks. Business email compromise (BEC) attacks are becoming more prevalent as fraudsters find new methods of accessing company email accounts and manipulating employees. Companies need to be aware of the risks to avoid them. Most organizations now have robust firewalls, secure operating systems, and intrusion detection systems. BEC techniques bypass these preventative measures by securing information through social engineering techniques. These can be much harder to spot, control, and avoid.
Trustpair continuously audits supplier information and checks all payment campaigns before execution, blocking the effects of business email compromise. Contact one of our experts right away.
What is BEC and why are all companies at risk?
In 2022, over 4.3 million people used email across the globe. It’s the most common way to stay in touch with your customers and reach out to vendors. But because email usage is so widespread, it’s also a great hunting ground for fraudsters.
Individuals who get caught out by email compromise report severe impacts, one of the most worrying being identity theft. A staggering 20% of Americans fell victim to this crime in 2021. The effects of such a personal crime could last years, leading to damaged creditworthiness, financial losses and a potentially false criminal record.
Business email compromise (BEC) usually works by criminals impersonating a genuine source and using high-pressure tactics in order to access your finances or company secrets. It can place your entire organization at risk since it’s the chosen channel for many different types of fraud.
If Facebook and Google can fall victim to a payment scam of over USD 100 million it is no surprise that fraudsters are investing their energies in more elaborate BEC tactics. The FBI’s 2020 Internet Crime Report listed losses due to business and email account compromise as over USD 1.86 billion. That accounts for almost half the sum lost to cybercrime.
Organised crime operations are behind many attacks. Dark Halo, Nobelium, APT29 and Cozy Bear are all names attributed to the group linked to the Russian Foreign Intelligence Service, the SVR. Nigeria is another major source of cybercrime. The risk is real and can be extremely damaging.
What are the main BEC scams?
Attackers seek to acquire funds directly or information to access funds in the future. The FBI has identified five main scams:
- Fake invoices or invoice fraud – these appear to be from legitimate suppliers, but accounts belong to fraudsters.
- Executive requests for payments or CEO fraud – emails from the CEO or senior executives’ accounts will request transfers of funds to fraudulent accounts.
- Hacked accounts – an employee’s email account will request invoice payments from suppliers. Payments are diverted to the scammer’s account.
- Data theft – employees in HR and accounts departments are targeted for personally identifiable information (PII) or tax information on employees. This can be used to divert payroll funds.
- Law firm information requests – emails seemingly from a company’s law firm will request confidential information.
Techniques evolve all the time. One recently identified is:
- Requests for aging reports – this report, containing data on customer overdue payments and contact information, can be used to send convincing payment requests.
Methods used in business email compromise cases
Scammers will research and monitor targeted companies and employees. Fake emails will be extremely convincing. Any company finance department will give you at least one example of an employee making, or almost making, a payment to a fraudulent account.
There are various techniques used:
- Spam – unsolicited messages which can contain malware (see below) such as keyloggers. They can be dangerous to open or respond to.
- Spoofing – impersonating an individual or organization to gather useful information.
- Phishing – emails that appear to be from a legitimate source that aim to extract useful information.
- Spear Phishing – information from websites or social networking sites is used to make phishing emails seem more legitimate.
- Pharming – a website users will mistake as belonging to a legitimate company, used to gather usernames and passwords.
- Malware –software used to damage or defraud.
Ways to detect and prevent business email compromise (BEC)
As well as diverting funds, BEC can lead to ransomware taking control of accounts or files obtained until payment is made to release them.
Education, internal controls, and software will all have a significant impact on a criminal’s ability to access email accounts.
Educate employees
Make sure employees are aware of the risks and methods of business email compromise attacks.
You can increase security awareness within your business by teaching your people what to look for. Here are some manual ways to detect business email compromise:
- Check the domain: spoof domains are very similar but not identical to the real credentials. An example of spoofing might be: scammer@frauds.org instead of scammer@frauds.com
- Does the subject line sound weird? Urgency in the subject line may be considered a sign of a cyber attack. One version of this includes “Payment Deadline”, for example.
- Are the links malicious? You can hover open a link to see if it links to what you’re expecting or redirect you to another (potentially harmful malware) site
However, using automation to detect BEC can have much more thorough results. For example, Trustpair’s platform automatically audits campaign payments before they are executed, blocking any transactions to suspicious or unknown bank accounts. We also provide automated account validation.
Email rules
Avoid web-based emails and require multifactor authentication. Features such as two-factor authentication require your staff to log in using more than just their password; they must also have a time-out code or biometric match like facial identification. This prevents unauthorized access from fraudulent pretenders.
For payment emails, use ‘forward’ rather than ‘reply’.
Establish intrusion detection rules to flag emails sent from addresses with similar domain names and when an email has a different reply address to the one shown.
Website safeguards
Secure and register similar domain names to avoid legitimate-looking websites and emails being produced. Even better if you can upgrade your firewall or antivirus program as this should create an added layer of protection.
Social media awareness
Do not provide too much information on job titles, responsibilities, and so on.
Know your suppliers
This makes it easier to spot unusual requests or changes.
Payment approvals
Upgrade your internal controls around the payment chain. This could mean using dual approval or segregation of duties for payments and limiting those who can make them. Account details should be systematically verified.
Confirmation requests
Verify with a confirmation email or call using information on file.
Use the right software
Trustpair’s platform will take care of many of these processes, saving time and money. Our software will verify bank details worldwide, making sure you aren’t paying a fraudster. We are by your side to help out. We help protect corporations from unwanted intrusions, whether that’s through securing your payment platform or updating your supplier data in real-time. This way, your people always have the bigger picture and are equipped to make the right decisions. Prevent fraudsters from accessing your financial data, with Trustpair.
To learn more about B2B payment fraud, download our latest fraud study!
Key Takeaways
Business Email Compromise (BEC) is a real threats for every companies. Best practices to secure your organisation is mainly about three points:
- Know the scams to watch out for
- Educate your employees
- Install Trustpair software for an added layer of security
