Beware the BEC
With $62,671,503 in victim losses reported, Business Email Compromise (BEC) was the costliest cybercrime in Florida in 2017. Indeed, the FBI reports that since they began tracking the crime in 2013, they have recorded more than $12 billion in losses from businesses around the world, a realization that prompted the FBI to issue a special alert on the subject in June 2018. But what is BEC, and why is it so profitable for criminals?
BEC targets businesses that frequently use wire transfers, such as real estate companies. Essentially, the criminal uses email deception—usually impersonating a high-level executive such as the CEO—to trick an employee into making a wire transfer to what they think is a trusted partner’s account but what is, in fact, the criminal’s account. It may sound simple, but BEC has reached an unprecedented level of sophistication, carried out by global criminal organizations that conduct extensive surveillance on their targets to ensure their deception is plausible and convincing. They use a suite of techniques to ensure success, including social engineering tactics, spear-phishing emails, identity theft, email spoofing, and malware.
As the FBI reports, “Although the perpetrators of BEC—also known as CEO impersonation—use a variety of tactics to fool their victims, a common scheme involves the criminal group gaining access to a company’s network through a spear-phishing attack and the use of malware. Undetected, they may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.”
In 2017, more than 15,000 businesses were victims of BEC in the United States, at a cost of more than $676 million.
How can you protect your business from BEC? According to the FBI, the most effective preventative measure is to simply verify the authenticity of any request to send money directly with the person making the request, either in person or over the phone.
Some other safeguards include the following:
- Create a rule in your email client that flags emails with extensions similar to that of your company. For example, if your company’s legitimate email extension is abc_company.com, set up a rule to flag emails coming from abc-company.com and abccompany.com.
- Create an email rule to flag communications where the “reply” e-mail address is different from the “from” email address displayed.
- Create a color-coded system where emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of two-factor authentication; use previously known numbers, not numbers provided in the email request.
- Scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.