Through our work in cyber and information security, we have formed relationships with professionals at Secure the Village and Citadel Information Group. They have kindly allowed us to post on our blog site some of the articles they have authored about cyber security. This article provides a great overview of the business email compromise scam and how to avoid being taken in by it.
Business E-mail Compromise: Don’t Be a Victim
By Stan Stahl, PhD, President of Citadel Information Group, Inc. & Founder and President of Secure the Village
What to Do: Implement very strong controls on wire transfers
Assume all email or fax requests from a vendor to change bank accounts are fraudulent. Assume all email or fax requests from the company President or others are fraudulent. Assume all email or fax requests to set-up a new vendor are fraudulent. Pick up the phone, call the party in question and verify the request is legitimate.
If you discover you are a Business Email Compromise victim, immediately contact the FBI’s Southern California Cyber Fraud unit at email@example.com. They have established banking relationships and are often able to recover funds if they are notified within 72 hours.
And talk to your banker. Make sure they have your back.
It’s also a good idea to check with your insurance broker to ensure that business email compromise losses are covered.
Not too long ago, email scams were relatively easy to detect. They were often from unknown contacts and referenced bank or credit card information which was clearly incorrect. Sometimes, the emails would simply contain a link. As time has passed, fraudulent attempts to gain control of your online banking, your critical information, and your identity have become more skillful and harder to spot. These days’ emails often appear to come from recognized accounts, are well written, and–at least at first glance–seem legitimate.
The newest — and one of the costliest — in a long line of fraudulent e-mail scams is “Business E-Mail Compromise” (BEC).
Business Email Compromise (BEC) is a very sophisticated attempt to induce a business to willingly hand over their money to a cybercriminal. In Business Email Compromise (BEC), crooks spoof communications from executives or vendors at the victim firm in a bid to initiate unauthorized wire transfers.
According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. Business Email Compromise cost Ubiquiti Networks $46 million.
Collectively, Business Email Compromise has resulted in actual and attempted losses of over a billion dollars worldwide. The FBI reports, “…since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad.”
BECs can target businesses working with foreign suppliers or regularly performing wire transfer payments, although they have also targeted some that do not strictly fit this criterion. In order to solicit unauthorized transfers of funds, the scams compromise legitimate business e-mail accounts through social engineering or computer intrusion techniques. Prior to making contact, the scammers learn enough about their target to create emails that use language specific to the company and request wire transfers that seem legitimate.
For more information on BECs, see https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise and http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/
Linking to Non-Regents Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Regents Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Regents Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Regents Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.