As technology becomes more sophisticated so do criminal attacks. Business email compromise (BEC) attacks are becoming more prevalent as fraudsters find new methods of accessing company email accounts and manipulating employees. Companies need to be aware of the risks to avoid them.
Most organisations now have robust firewalls, secure operating systems, and intrusion detection systems. BEC techniques bypass these preventative measures by securing information through social engineering techniques. These can be much harder to spot, control, and avoid.
All companies are at risk of Business Email Compromise attacks
If Facebook and Google can fall victim to a payment scam of over USD 100 million it is no surprise that fraudsters are investing their energies in more elaborate BEC tactics. The FBI’s 2020 Internet Crime Report listed losses due to business and email account compromise as over USD 1.86 billion. That accounts for almost half the sum lost to cybercrime.
Organised crime operations are behind many attacks. Dark Halo, Nobelium, APT29 and Cozy Bear are all names attributed to the group linked to the Russian Foreign Intelligence Service, the SVR. Nigeria is another major source of cybercrime.
The risk is real and can be extremely damaging.
What are the main BEC scams?
Attackers seek to acquire funds directly or information to access funds in the future. The FBI has identified five main scams:
- Fake invoices – these appear to be from legitimate suppliers, but accounts belong to fraudsters.
- Executive requests for payments – emails from the CEO or senior executives’ accounts will request transfers of funds to fraudulent accounts.
- Hacked accounts – an employee’s email account will request invoice payments from suppliers. Payments are diverted to the scammer’s account.
- Data theft – employees in HR and accounts departments are targeted for personally identifiable information (PII) or tax information on employees. This can be used to divert payroll funds.
- Law firm information requests – emails seemingly from a company’s law firm will request confidential information.
Techniques evolve all the time. One recently identified is:
- Requests for aging reports – this report, containing data on customer overdue payments and contact information, can be used to send convincing payment requests.
Methods used in business email compromise cases
Scammers will research and monitor targeted companies and employees. Fake emails will be extremely convincing. Any company finance department will give you at least one example of an employee making, or almost making, a payment to a fraudulent account.
There are various techniques used:
- Spam – unsolicited messages which can contain malware (see below) such as keyloggers. They can be dangerous to open or respond to.
- Spoofing – impersonating an individual or organization to gather useful information. • Phishing – emails that appear to be from a legitimate source that aim to extract useful information.
- Spear Phishing – information from websites or social networking sites is used to make phishing emails seem more legitimate.
- Pharming – a website users will mistake as belonging to a legitimate company, used to gather usernames and passwords.
- Malware –software used to damage or defraud.
Ways to prevent business email compromise
As well as diverting funds, BEC can lead to ransomware taking control of accounts or files obtained until payment is made to release them.
Education, internal controls, and software will all have a significant impact on a criminal’s ability to access email accounts.
Make sure employees are aware of the risks and methods of business email compromise attacks.
Avoid web-based emails and require multifactor authentication. For payment emails, use ‘forward’ rather than ‘reply’.
Establish intrusion detection rules to flag emails sent from addresses with similar domain names and when an email has a different reply address to the one shown.
Secure and register similar domain names to avoid legitimate-looking websites and emails being produced.
Social media awareness
Do not provide too much information on job titles, responsibilities, and so on. 5. Know your suppliers
This makes it easier to spot unusual requests or changes.
Use dual approval for payments and limit those who can make them. Verify account details.
Verify with a confirmation email or call using information on file.
Use the right software
Trustpair software will take care of many of these processes, saving time and money. Our Bank Supplier Check software will verify bank and corporate details worldwide. And our Payment Security software will run an automatic check of payment files to detect suspicious behaviour.
As Deloitte says, “Now is the time for companies to educate themselves about BEC, train their employees, and create an environment that encourages compliance”.
We welcome any opportunity to show you how our software can transform your company’s risk to business email compromise. Contact us to request a demo: keep your business safe from cybercriminals.
Business Email Compromise (BEC) is a real threats for every companies. Best practices to secure your organisation is mainly about three points:
- Know the scams to watch out for
- Educate your employees
- Install Trustpair software for an added layer of security