Business Email Compromise: What It Is and What You Can Do
By Kelly Wilkins and James P. Melendres
Business email compromise (BEC) is a type of cyberattack that is increasing at an alarming pace. The U.S. Federal Bureau of Investigation (FBI) estimated in a May 2017 alert that global losses due to BEC scams totaled more than $5.3 billion between May 2013 and December 2016. Such scams have increased more than 2,300 percent in the last two years, according to the FBI. BEC is not a new type of cyberattack but is showing striking new use.
What It Is. BEC is a cyberattack in which a cybercriminal gains access to a business email account and spoofs the email owner’s identity. “Spoofing” is forging or mocking an email address so that it appears to be from an authentic address. The cybercriminal then works to fraudulently transfer money from the business or its employees, customers or partners.
Who the Targets Are. The most common targets are companies that use wire transfers to send money internationally. Some victims have reported using checks as a method of payment. BEC attacks target large and small businesses.
In one sampling of attacks, countries that had the most BEC attempts in the first half of 2017 were the United States, Australia, and the United Kingdom. The scam has been reported in all 50 U.S. states and in 131 countries.
How the Schemes Can Operate. BEC schemes have multiple scenarios:
- The email account of a high-level executive is compromised. The account may be spoofed or hacked. A request for a wire transfer is made to another employee at the same company, typically an employee who is responsible for processing such wire transfers. This scenario has been also referred to as “CEO Fraud,” “Masquerading,” and “Financial Industry Wire Frauds.”
- This scheme involves an impersonated supplier, outside the target company. The impersonated supplier is typically one with which the company has an established relationship. The company is requested to wire funds to pay an invoice. The request may be made by email (spoofed), phone, or fax; all are fraudulent but appear legitimate. The funds are wired to an alternative, fraudulent account. This scenario is also known as the “Supplier Swindle” and “Invoice Modification Scheme.”
- An email account is hacked. From the compromised account, cybercriminals send requests for invoice payments to multiple vendors. The vendors are identified from the employee’s contacts list or address book. The transfer is made to a fraudulent account.
- Cybercriminals impersonate attorneys or law firm representatives who claim to be handling confidential or time-sensitive business. This scam often occurs at the end of a business day or week and may be timed to coincide with the close of business of international banks. Victims are persuaded to act swiftly or secretly by transferring funds.
- This is a recently observed scenario. A compromised email is used to send requests to provide personally identifiable information. Such requests can be for all employees’ W-2 forms or social security numbers, for example. This scam first appeared just prior to the 2016 U.S. tax season and escalated again in 2017.
What You Can Do. The FBI’s May 2017 public service announcement lists these self-protection strategies:
- Establish procedures to hold requests for international wire transfers for an additional time period to verify the request’s legitimacy. When using phone verification, use previously known numbers, not the numbers provided in the email request.
- Be suspicious of requests for secrecy or pressure to take action quickly. Carefully scrutinize all email requests for transfers of funds to determine if the requests are out of the ordinary.
- Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
- Immediately report and delete unsolicited email (spam) from unknown parties. DO NOT open spam email, click on links in the email, or open attachments. These often contain malware that will give subjects access to your computer system.
- Do not use the “reply” option to respond to any business emails. Instead, use the “forward” option and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted through their personal email address when all previous official correspondence has been through company email, the request could be fraudulent. Always verify through other channels that you are still communicating with your legitimate business partner.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- If funds are transferred to a fraudulent account, act quickly. Contact your own financial institution immediately and ask that it contact the receiving institution. In certain circumstances, it may be possible to freeze or reverse the funds, although such recourse is by no means guaranteed.