Business Email Compromise
Educating yourself about phishing is the best means to protect your business. Fraudsters will pose as someone within your organization, or as an influential individual to gather sensitive information.
What is a business email compromise?
Business email compromises often occur within companies who transact with vendors and suppliers. Typically a fraudster will send a fake invoice or request for payment information to be updated. Another tactic is sending an email posing as a leader or “big boss” within a company. In this situation, the fraudster may send an email asking the employee to wire funds or make a payment with a sense of urgency. This instruction from an executive or upper management may make an employee act quickly without even second guessing the legitimacy of the request. By the time the manager is back in the office and the situation is discussed in person, it is too late to cancel or stop the funds from reaching the account of the poser.
Here’s what happens in most instances of a business email compromise:
- A fraudster will target a company that often transacts with vendors outside of the organization.
- The fraudster will use malware to determine the employees that govern transactions or have access to finances (i.e., executive assistants, accountants, accounts payables).
- The fraudster will use the information they’ve collected to send a targeted email posing as a CEO or executive, requesting the individual to make a wire transfer or send a payment immediately. The email will often make the process seem too easy to be true – providing exact payment details so no questions will need to be asked.
- The recipient unsuspectingly sends the funds to the account of the fraudster.
- The fraudster receives the funds and will launder the stolen money in accounts that are difficult to trace. By the time the breach is discovered, it is nearly impossible to locate and retrieve the funds.
What are warning signs of business email compromise?
It’s easy to be naïve and think that you and your employees are too observant to fall for this scam, however, fraudsters are smart and use proven tactics to exploit their victims. Be on alert for the following tactics used by fraudsters:
- Spoofed email posing as a legitimate sender. Fraudsters pose as individuals within your organization by creating email accounts with similar domains and email addresses. The sender account may be one or two letters off from the actual account, designed to slide through inboxes without even a second thought. For example, if a fraudster is trying to impersonate, CEO Jane Smith of XYZ Investment, they may create an email such as firstname.lastname@example.org or email@example.com, instead of her actual email of firstname.lastname@example.org. Consider registering website domains that are similar to your own. Even though you’re not actively using them, it may prevent the domain from being used by a fraudster in the future.
- Messages to send funds with immediacy. If an email is sent with a request for funds and there is a sense of urgency or odd grammar usage, it is a sign of a fraudulent email. Instead of reacting immediately, train employees to do their due diligence when it comes to their inbox.
- The use of malware. Fraudsters use malware to access your network and scrape for personal and financial information. Make sure your employees know not to download software and online programs to their work computers. If possible, implement network controls that only allows certain people the right to approve downloads, such as an IT department.
- Generic terms instead of real names. Fraudsters will not include a real name within their email. Instead generic terms like “Dear,” “Sir,” “Ma’am,” or “Customer” will be used. This is because fraudsters do not know people’s real names and are usually sending mass emails to hundreds of email addresses at a time.
- Attached invoices that may or may not look familiar. It is not uncommon to receive invoices via email, which is what fraudsters are betting on. Fraudsters will spoof real company invoices to match almost exactly. No matter how “real” an invoice looks, always double check before any invoice is paid, even if you are expecting an invoice.
What steps can I take to spread awareness and protect my organization?
- Set up network controls for downloading new software. As previously mentioned, create security controls on employee computers to keep malware from being downloaded onto network computers.
- Keep inboxes secure. Avoid using web based email platforms that are free. They normally have less security features and are more easily hacked. In addition, create flags for email addresses that are similar to your company’s address. This will help call out those email addresses that are created to slide through the cracks with the look and feel of an employee or upper management.
- Flag external emails. Ensure that external emails received through company addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees.
- Implement a two-step process for payments. Secure company funds with at least a two-step verification process for all wire transfers and transactions. Creating an approval process protects you from external and internal fraud attempts.
- Always verify invoices before payment. Train yourself and your employees to always call and verify an invoice before paying it. It will only take a few minutes and companies will happily verify invoices to ensure they are real. Also, companies will want to know if fraudsters are using their information to spoof and target their customers.
- Educate your employees. If your employees are aware of what to look for and are routinely reminded of the warning signs of a business email compromise, they will be more apt to recognize illegitimate emails.
As fraudsters become smarter with their tactics, it’s important to educate your employees and ensure you’re taking the preventative measures necessary to keep your company funds safe. Technology is advancing each and every day, which means your security measures must keep up in order to recognize and block fraud attempts. If you ever suspect your business is the victim of a BEC scam, immediately report the incident to law enforcement or with the Internet Crime Complaint Center.