Fraud Emails: What Every Organization Needs to Know
If your company accountant received an email from the chief executive officer requesting a transfer of funds on a time-sensitive acquisition, what would he or she do?
What’s most important today is making sure that the email isn’t a ‘Business Email Compromise’ (BEC).
A BEC is the latest fraud email scam, an emerging global threat that targets businesses with foreign suppliers and regular wire transfer payments. Cyber criminals use social engineering and computer intrusion techniques to compromise business email accounts – and steal money.
The FBI reported that in just six months last year, the number of BEC victims skyrocketed 270% to a total of 8,179 representing losses of nearly $800 million. Previous to that, between October 2013 and February 2015, the total number of reported victims was just 2,126, and costs were $215 million.
Making Research Pay Off
What makes this scam so advanced is the amount of research that cyber criminals are doing.
It often starts with a phishing email to an executive, and malware to gain access to the person’s inbox. Once they’re in, the cyber criminals gather and map out personal and company information. They also use social media and corporate websites. Sometimes they make contact and exchange emails with their targets.
When the time is right (and it can take several months), they spoof the CEO's address and send a transfer request message to the employee in the finance department.
The CEO fraud isn’t the only version of the scam.
The supplier swindle scheme is when a business is asked by a current ‘supplier’ to wire an invoice payment to a fraudulent account. There’s also a fraudulent invoice fraud where an employee’s personal email account is hacked and used for requesting invoice payments from multiple vendors. In the attorney scam, an employee is asked to quickly transfer funds by someone posing as an attorney.
Learn some ways you can protect your organization from becoming a victim of a BEC:
- Raise awareness through on-going employee education. Constantly update employees about BEC, and teach healthy email habits such as scrutinizing all emails.
- Use technology. Utilize intrusion detection that alerts employees when emails originate from outside of the corporate network. Also, configure email and web filters to block fraud emails such as phishing scam attacks.
- Improve finance team procedures. Scrutinize all email requests to transfer funds, and be suspicious of any request for secrecy or pressure to take action quickly. Change how payments to external third parties are authorized; use two-step verification processes.
- Be wary of social media. Remind employees that posting any confidential information to social media is, in effect, sharing it with cyber criminals. Company websites can contain information that criminals use too.
- Consider cyber insurance. Investigate insurance policies that protect against cyber attacks.
- Implement a comprehensive document management process. There should be a company policy that protects all confidential information – in paper and digital formats – from creation to destruction. Partner with a document destruction company with a secure chain of custody and on- and off-site destruction services.
A data breach investigation can reveal surprising vulnerabilities in a workplace that inside fraudsters look for too.