3 Common Scenarios of How Business Email Compromise Defraud Your Companies
Commonly known as Business Email Compromise (BEC), email phishing attack is growing increasingly prevalent. According to the latest data released by the FBI, global losses caused by BEC reached 12 billion US dollars between October 2013 and May 2018. Therefore, companies need to be wary of BEC attacks. There are at least three BEC scenarios which are often used by perpetrators to defraud companies:
1. The perpetrators exploit the relationships and trust between victim companies and their vendors. Impersonating the vendors or suppliers, the perpetrators send email to companies’ employees. They urge the employees to wire payments to the vendors’ accounts, which are owned by the perpetrators.
The perpetrators usually use email addresses which resemble those of the real vendors. For example, if the vendor’s email address is email@example.com, the BEC perpetrator can use firstname.lastname@example.org to deceive the victim company.
2. The perpetrators impersonate financial managers’ superiors (CEO or financial directors) and send them emails. This kind of BEC is also known as ‘CEO fraud.’
To launch this mode, the perpetrators usually have observed the target, and even hacked emails which belong to the superiors. Since an email does not require the two-step verification, it is relatively easy for BEC perpetrators to hack. By impersonating superiors, the perpetrators tell the managers that they have pending payments to a vendor which urgently need to be made.
3. The BEC perpetrators do not always steal money. They also take credentials information which can be used for other BEC or phishing scenarios. Impersonating a legitimate entity, they send emails to employees, commonly the HR department. Inside the email, they encourage the employees to click a link. Once the employees click it, malware is automatically downloaded to their devices. Through the malware, the perpetrator can steal companies’ credential information.
Mitigation efforts need to be carried out not only in a company’s IT security system but also in the readiness and awareness of employees pertaining to the BEC threat. There are at least three simple procedures that employees can implement each time they receive an email to avoid getting trapped in BEC:
1. Make sure the sender’s email address is written with a legitimate domain and correct character.
2. Do verification prior to wiring payment. Directly verify the payment request- face-to-face or by telephone – to the sender before making a payment, especially if the amount is considerably large.
3. Implement the four-eye principle, in which every transaction decision in large numbers must be conducted with the approval of at least two executives.
Besides making prevention efforts, companies also should prepare effective countermeasure actions to minimize the damages and losses as well as to improve the security system. One of the actions is conducting an investigation.
Since investigating cybercrime requires a lot of resources, time and energy, companies are strongly advised to work with experienced and professional third-party of mitigation and investigation services.
Integrity has been trusted by its clients as a provider of risk mitigation and business investigation services – including fraud audits and investigations, theft investigations, asset tracking, skip tracing, and litigation support. Our analysts and investigators are professionals who are equipped with skills and experiences in conducting business investigations. For more information about business investigations, do not hesitate to contact us.