You’ve heard the old saying: “Don’t open an email from someone you don’t know.” You know that your employees understand how to spot a phishing scam with illegitimate hyperlinks or suspicious attachments with odd file extensions. But what if they receive an email that appears to come from your financial adviser, your business’ trusted vendor, or even you?
Business email compromise (BEC) has become increasingly popular amongst cybercriminals seeking money and personal information from businesses. Scammers target businesses that utilize wire transfers, as well as companies that rely on foreign suppliers and third-party vendors or customers. Impersonating these existing and trusted business relationships is what makes BEC almost impossible to detect and difficult to manage after-the-fact.
BEC has occurred in all 50 states and in at least 79 other countries abroad. Between Oct. 2013 and Aug. 2015, the FBI calculated $740 million in losses as a result of BEC scams. Between Aug. 2015 and Feb. 2016, it calculated $2.3 billion in losses. In short, the FBI has handled cases involving almost double the amount of monetary loss in six months than it has in the past two years combined.
The difficulty in detecting BEC lies in the way scammers use your existing professional relationships to gain access to your business’ funds or personal information. Criminals use BEC to execute four specific types of scams. Once the scammers gain access into your company’s email accounts, the possibilities are endless.
Method #1: Business Executive Scam
Scammers will use your email address to contact an employee responsible for your company’s finances, requesting a large wire transfer into their fake accounts. Fraudsters will usually indicate that the transfer must be done urgently and quietly. Since most businesses utilize email as their main form of communication between employees and departments, this type of BEC is almost always detected after the transfer has been made.
Method #2: Supplier Swindle Scam
The second method targets your company’s foreign suppliers or overseas vendors, again, hoping to authorize wire transfers to a fake account. Criminals can hack into your supplier’s email account and request a wire transfer to a “new” account, disclosing that the supplier’s location overseas has moved or changed.
Method #3: Bogus Invoice Scam
The third method targets your customers or third-party vendors, hoping to collect their money through false invoice requests. Fraudsters can hack into your employees’ emails and send out urgent invoices, similar to the method used with overseas suppliers.
Method #4: Personal Data Scam
Unlike the first three methods, this final method focuses on stealing your employees’ personal information. Fraudsters target your human resources’ email accounts to obtain personally identifiable information (PII), specifically W-2 information. Emails are sent from your HR representative’s hacked email account to other employees, asking to either provide or verify their sensitive information.
The significant increase in BEC incidents (a 1,300 percent increase since 2015) parallels the increase in wire fraud instances. The 2016 Payments Fraud and Control Survey reported that wire fraud was the second most popular method of payments fraud, accounting for 56 percent of all payment frauds caused by BEC. The percentage of businesses affected by wire fraud has nearly doubled — from 14 percent in 2013 to 27 percent in 2016 – inferring a correlation between instances of BEC and other types of business fraud.
What should you do?
Help your employees stop BEC in its tracks by following these tips before it does more damage to your business.
- Education training: Educate your staff about the common red flags of BEC scams. Encourage them to investigate emails from high-level executive positions regarding wire transfer, invoice or sensitive information requests.
- Personal information security: As always, emphasize the importance of protecting personally identifiable information, even in the workplace. Instruct employees to always safeguard their sensitive information, and encourage them to deliver W-2 and tax form information to your human resources in person.
- Protocol: Put in place and adhere to a strict protocol regarding wire transfer or invoice requests. Following a consistent process will make it easier for employees to spot suspicious behavior.
- Open Communication: Encourage face-to-face or phone communications between departments in instances where wire transfers or invoice requests are asked to be done urgently or quietly. This way, employees are able to confirm that the transactions are legitimate.
The BEC scam has so many layers of potential compromise and can impact anyone associated with a business. Keep yourself, your employees and vendors in the know about BEC and other business scams by following Fighting Identity Crimes.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.