Targeted email scams are on the rise, with attackers using email to fool victims into sending money to the cybercriminals by acting as a familiar source, such as a client, vendor or anyone else that it may seem normal to send payment to via wire transfer. These attacks have been dubbed by the FBI as BEC scams, or Business Email Compromise scams.
The bureau claims that such BEC scams have been in effect since 2013, affecting millions of users from over 80 countries across the globe. In the US alone, over 7000 businesses have reported incidents, with losses totaling over $747 million.
The average individual loss ranges around $6000, but BEC victims average losses of around $130 000…
There are security measures that can help to protect your company from receiving such emails, however, these are not completely failsafe. Because of this, it is recommended that businesses take a multi-layered approach in protecting themselves, ensuring they don’t fall victim to damaging BEC scams.
Discussed below are some recommendations in order to keep your business and your livelihood protected:
It is critical that employees within the company are aware of such attacks and the potential risks involved. Ensure they are well educated on processes for dealing with vendors and submitting payment. Employees should recognize that BEC scams are artfully crafted, using language relates directly to the company, and containing other seemingly accurate details.
In certain instances, attackers have even been successful in using malware to obtain account credentials and access private information relating to the company, in order to improve their communications and add legitimacy to their requests to minimize suspicion. For example, they may send emails that appear to be from a coworker, generally from the accounting department or a vendor, asking the employee to execute a wire transfer in order to satisfy an outstanding account.
It is important to understand that these attacks are not limited to email only. There are documented instances of phishing attacks that have been conducted over the telephone, using both live people and automated bots to request account information.
Use Technology as an Advantage
As technology advances, a growing number of communications and transactions take place over email. Because of the sensitive nature of the information often shared, security is of the upmost importance. Start with a secure business email solution, such as Microsoft Office 365 or MS Exchange Server. In addition to this, organizations should use a multi-factor authentication system.
Anti-spam solutions do a lot more than filtering junk mail from inboxes. The majority of anti-spam solutions use real-time attack information as well as other intelligent systems to identify and isolate possible threats, including BEC attacks.
Organizations should also consider implementing an outbound email filtering solution to prevent sensitive financial information from being sent outside of the company.
Advice from the FBI
The FBI has provided the following list to help ensure your business does not fall victim to a dangerous and costly BEC scam:
- All changes in vendor payment location should be verified, as well as confirmation of requests for transfer of funds.
- Steer clear of free, web-based email accounts, as these are the most susceptible to all types of threats.
- Use caution when posting financial and personnel information to any company websites or social media.
- Be suspicious of any requests for secrecy or pressure to act quickly regarding wire transfer payments.
- Consider implementing financial security procedures, such as two-step verification for wire transfer payments.
- Create intrusion detection system rules that flags any emails that contain extensions that are similar, but not the same as, the company email.
- Register all internet domains that are slightly different from the company’s actual domain whenever possible.
- Know your customer. Especially the reason, details, and amount of payments. Beware of any obvious differences or changes.
Find out more ways to protect against scams and other types of attacks. Call SSE Network Services at (314) 439 - or send us an email at firstname.lastname@example.org to learn about our managed IT services. We’ll keep your technology safe and operating at peak performance for a flat-rate monthly fee.