Financial cyber-crime against businesses is increasing, according to a news release from the FBI. What is called Business Email Compromise (BEC) is cause for concern by all businesses. It is a sophisticated attack to get money transferred from a business’s bank account to the attacker. The criminal uses legitimate email accounts to send a transfer of funds request to an employee. The report states there has been a 270% increase of BEC attacks in 2015 to date.
The funds are generally moved via wire transfer, but the fraudster may request funds by checks if that is the normal payment method for the business. The criminal uses real information about the company and its people. Often the information is gleaned by the criminal through social engineering or a previous network intrusion. The criminal may know senior manager travel plans, the type of previous legitimate requests, which employees authorize transfers,, and other internal information. These attacks are usually very specific, not broad, impersonal spam attacks.
According to the FBI, the email scam is occurring in all 50 states and all sizes of businesses are being targeted. To date, the FBI has seen requests for fund transfers to over 70 countries, with a large number of requests for funds to be sent to banks located in Hong Kong and China.
There are several known versions of the BEC scams. The most current version includes the criminals claiming to be attorneys or other representatives of law firms. The contact may be by phone or by email. They state they are representing either a confidential issue or a time-sensitive issue. The criminal attempts to pressure the employee to act secretly or with urgency. Often the BEC email request if sent at the end of a day or week to leverage close of business.
What you can do
Business owners should educate all their employees on this type of cyber-attack. The criminal may be impersonating key employees that are involved with funds transfers, but may also attempt to gather information via social engineering from any employee. For example, a simple question to the receptionist about the CEO’s next business trip can provide helpful information to the attacker.
The FBI suggests the following tips to reduce the chances of being a victim of a BEC:
• Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
• Verify changes in vendor payment location.
• Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
• Be careful when posting financial and personnel information to social media and company websites.
• Be suspicious of requests for secrecy or pressure to take action quickly with funds transfer requests.
• Use financial security procedures that include a two-step verification process for wire transfer payments.
• Create intrusion detection rules system on your network that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
• Register all Internet domains that are slightly different than the actual company domain, such as .co, .biz, and any international domain extensions where you do business.
• Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
For key employees that frequently travel and authorized funds transfers, consider developing a special way to confirm requests. Perhaps develop a coding method, but has never been documented within the network (in case of an intrusion search).
Businesses can also check with their banks to see what additional measures they suggest.
If you would like to receive our fascinating blogs on cybersecurity please like us on Facebook.