Helpful Tips: Avoiding Business Email Compromise - Hackstaff, Snow, Atkinson & Griess, LLC

Helpful Tips: Avoiding Business Email Compromise

Avoiding Business Email Compromise As a follow-up to our previous post, Bank Failures: Basic Protections for Consumers and Businesses, we wanted to also make clients aware of a rise in Business Email Compromise (BEC) scams as fraudsters attempt to take advantage of the current climate of uncertainty. 

As the dust settles around the most recent bank failure announcements, many businesses and vendors are focused on updating their banking information as they move accounts or simply try to tighten security. This is the window of opportunity for scammers, who target financial departments and account holders in an effort to trick them into sharing banking information or even sending money.

What can you do? First, stay calm and be skeptical of any banking update requests you receive via email, text or phone. Next, educate yourself on BEC and learn to recognize the signs of potential fraud.

What Exactly is Business Email Compromise?

Business Email Compromise (BEC), also referred to as Email Account Compromise (EAC), is a scenario in which criminals create email messages that closely mimic emails from known sources in an attempt to redirect payments – typically through wire transfers, ACH or even checks. BEC is one of the fastest-growing cybercrime techniques, targets companies large and small, and has resulted in billions of dollars of theft.

The good news is that with proper vigilance and education, BEC scams can be prevented.

How it Works.

BEC scams play out in a number of scenarios, with criminals sending an email message that appears to come from a trusted source. Here are some examples:

  • A recognized vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company executive requests the purchase of dozens of gift cards to send out as employee rewards, with serial numbers so they can be sent out immediately.
  • A lending organization sends wiring instructions to a new mortgagee with instructions for wiring a payment.

These scenarios all seem like normal, above-board occurrences. But by using clever tactics to ensnare unwitting victims, criminals receive the money. To pull this off, criminals will target and groom an individual or company, typically choosing someone in the accounting or financial services department using some of the following tactics:

  • Email account or website spoofing. By slightly altering a legitimate address (john.smith@realcompany.com vs. jon.smith@realcompany.com), busy victims may think the fake accounts are authentic.
  • Spear Phishing emails. These messages very closely resemble those from a trusted sender, like a bank or known vendor, and typically ask for confidential information that could provide access to company accounts, calendars, personnel information, and other data that opens the door for more BEC schemes.
  • Malware. Malicious software, commonly referred to as malware, is a Trojan horse that allows criminals to infiltrate company networks and gain access to legitimate email threads about billing and invoices. By doing a little research, criminals can use that information to time requests or send messages so accountants or financial officers don’t think twice. Malware also provides undetected access to a victim’s data, including passwords and financial account information.

Top Five BEC Schemes

The Federal Bureau of Investigation (FBI) has identified the five most common forms of BEC that businesses and individuals should be wary of:

  • Impersonating the CEO: Compromising or spoofing the email address(es) of the CEO, CFO or another executive of a company, and directing an employee to transfer corporate funds to a bank account controlled by the fraudster.
  • Account compromise: An employee of a company has their email address compromised and unknowingly used to request, initiate and/or authorize the transfer of funds to a bank account controlled by the fraudster.
  • False invoice scheme: Impersonating a known vendor by compromising the vendor’s mail system or sending a spoofed email on behalf of a known vendor, and requesting payment be made to a fraudulent account. 
  • Attorney impersonation: A spammer claims to be an attorney and issues a fraudulent request warning of the consequences of noncompliance, including the prospect of litigation. Employees at lower levels are commonly targeted with this scheme.
  • W-2 form and other data theft: Targeting a company’s HR department to obtain W-2 tax forms or other personally identifiable information to use in a future attack. Executives are frequently targeted in this type of scheme.

Typical BEC Timeline

  1. The targeting phase. Criminals identify a potential target company and the employees to spoof, what emails to compromise and who to target for a wire transfer.
  2. Grooming. Next, the scammer will attempt to become known and trusted by the targeted victim, using spear phishing and email compromise to infiltrate the organization and set the scene. This can take weeks in some situations.
  3. Information request or instructions. Once the victim has been taken in, the fraudster will send payment instructions to an account or request specific banking or personnel information.
  4. Payment. If the victim believes the request to be trustworthy, they will initiate the payment or send over the requested information. Once a payment has been made, the scammer can quickly transfer the newly deposited funds to other accounts, including non-U.S. accounts which can be difficult to trace or recover funds from.

Protecting Yourself and Your Company

The first place to start is educating yourself and your employees. Here are some the best ways to identify and stop a potential BEC scam:

  • Be extremely careful with the information you share online or on social media, such as birthdays, pet names, school names you attended, links to family members, etc. This information is commonly used in passwords and security authentication questions.
  • Never click on any links in an unsolicited email or text message asking you to update or verify your account information, and don’t trust the phone number listed in the email. Look up the company and contact them to verify a request.
  • Always look at the email address, URL, and spelling in any correspondence to verify accuracy.
  • Use caution with downloads and never open an email attachment from someone you don’t know, especially if there’s something off about the return email address. Never open a forwarded attachment you can’t verify the origin of.
  • Set up two-factor or multi-factor authentication on any and all accounts that offer it.
  • Verify payment or purchase requests in person or verbally if possible, and look for any changes in account or payment information.
  • Be wary of any requests with extreme urgency, asking you to act quickly (and often without thinking).

What to Do if You’re a Victim

Act quickly. Contact the financial institutions involved immediately and request their help contacting the financial institution that handled the transfer. Also contact your local FBI field office to report the crime, and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

The State of Colorado also has guidelines for reporting data breaches and cybercrimes. The state Attorney General’s office has more information, as does the Colorado Bureau of Investigation and the Colorado Secretary of State.

See our previous post on Identity Theft: Protecting Your Business for more helpful tips and advice.

We can help you protect your business.

Contact Hackstaff, Snow, Atkinson & Griess today to find out how we can keep your business and intellectual property safe. Our knowledgeable attorneys can help you develop policies and advise you on the best practices to keep your business secure.