One of the most common forms of phishing is the Business Email Compromise (BEC) scam.
This is when employees of a particular business, generally those who have authorization to wire money from the company’s financial accounts, are targeted.
Typically, the employees in the crosshairs of the scammers will receive an email that appears to be from an executive, or some other authorized employees, of their companies requesting money be transferred to some account. Often, the money is to be sent outside the United States.
Another BEC scam involves a business that has an established relationship with a supplier. The fraudster asks to wire funds for invoice payment to an alternate, fraudulent account via spoofed email, telephone or fax.
Similar to this scam, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the scheme until their vendors follow up to check for the status of their invoice payments.
It is difficult to identify these types of attacks; however, there are warning signs. Usually, the request is presented to the employee as urgent and it cannot wait for the process of getting additional approvals. In addition, the sender’s email address is spoofed. This means it appears to be from a legitimate company at first glance; however, with closer inspection, it is not the same.
Anyone who is authorized to perform wire transfers should use extra caution when receiving requests.
Heed Warning Signs
• Check the email address, and then check it again to make sure it truly is from someone who can authorize such transactions. Often, fake domains are used that are so close to the spoofed one that it is hard to see. Sometimes, they have just one or two letters that are different. Sometimes, they will replace the letter “L” with a number “1” or the letter “O” with a zero, for example. Some use extensions that are similar to company email but not exactly the same. For example, .co instead of .com.
• Verify again that the request is legitimate as part of two-factor authentication. Do this preferably via telephone, but alternatively by sending a new email message (not a reply) back to the requester. Use familiar phone numbers and email addresses, not details provided in the email requests.
• Follow a process of getting multiple approvals before a wire transfer is allowed in your business. If there is no process for this, create one, follow it and ensure it is enforced.
• Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
• Stay updated on your customers’ habits, including the reason, detail and amount of payments. Be aware of any significant changes.
• Be suspicious of requests for secrecy or pressure to take action quickly.
• Be wary of free, web-based email accounts, which are more susceptible to being hacked.
If your business has been targeted by a BEC email, contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent. Next, call law enforcement and also file a complaint — regardless of the dollar loss — with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.
No business is immune to cybercrime. Businesses of all sizes and types are vulnerable. But awareness and employee education can help a business fight cybercrime.