Business Email Compromise & Its Affect On Your Business
Business Email Compromise (BEC) has become one of the most popular digital business scams, often resulting in significant financial losses. BEC consists of a hacker or malicious third-party initiating some sort of fraudulent email — typically one branded from an executive within a company — that mandates a money wire transfer be initiated immediately to a “new” account outside of the business.
The message will often claim that the wire transfer be made with haste because of a pressing business matter at hand. The lower-level employee that receives these wire transfer requests then unwittingly sends the transfer off without question; the money then changes hands from business account to third-party private account, and is recorded as an instant loss.
What’s scary about the situation is that it could literally happen to anyone without them ever knowing the difference between the scam email and the genuine one. Hackers have become so meticulous and methodical about their approaches that they’ll even hack into a database or network, monitor the activity, the email accounts that will be useful for their malicious purposes, the structure and wording of said accounts, and then compose their own forged message.
Sometimes the hackers have the ability to directly access an executive’s email account, and sometimes they create a nearly identical replica account that is often undetected by the untrained eye, which is called email spoofing. This technique is extremely difficult to catch because of the sedulous care that the hackers put into each and every forged email — from the creation of similar web and email addresses to logo and branding techniques that one would only expect a legitimate business implement into an email campaign.
The FBI has stated that since January of 2015, “a 270% increase in Business Email Compromise in identified victims and exposed loss” has taken place. And since October of 2013, business email scams have claimed more than $2.3 billion. Arizona has been one of the hardest hit states where the average BEC scam can cost a business anywhere between $25,000 and $75,000.
What Measures Can Your Business Take?
This significant and dramatic increase in BEC scams justifies the very fact that businesses need to be vigilant about their preemptive security methods. This specifically means training, re-training, and testing employees on a weekly basis about how to examine emails, wire transfer requests, and any other security protocols that are deemed a necessity. This step could save your business anywhere from tens of thousands to millions of dollars in potential losses down the road.
Develop a guideline for all employees to follow when receiving account or money wiring requests; make sure each employee confirms the request by way of phone call, not by email reply; and test your employees with dummy requests at random to see if they’re consistently following all of the security protocols that have been put into place. Below, we’ve also included a list of suggested actions that the FBI has disclosed on the issue of Business Email Compromise.
The following actions are steps to take according to the FBI:
- Verify vendor payment locations and confirm with the sender via phone call about the transfer request.
- Web-based email accounts (Gmail / Yahoo / Hotmail / etc.) are more vulnerable than privately hosted accounts.
- Never post financial date or any Personally Identifiable Information (PII) to webpages or to social media accounts.
- A two-step verification processes for all wire transfer requests and account requests would bolster security.
- Register all domains that appear to be similar to that of your primary domain to prevent hackers from using them.