The FBI issued a Public Safety Alert (PSA) in June regarding business email compromise fraud. The frequency of this type of cyber-crime has increased 1,300% since January, 2015. The FBI issued a previous alert on business email compromise (BEC) fraud in May.
This new alert shows the level of concern by the FBI on this type of fraud. The FBI issues PSAs on a very specific basis. Other PSAs issued include one on internet connected cars and one on internet of things.
A BEC is when a cyber-criminal uses a legitimate business email address to impersonate a company employee for the purpose of transferring funds to the criminal’s account. The funds are usually transferred by wire, but at times company checks are used. For the price of two movie tickets and popcorn, a hacker can buy off-shelf tools for use in these cyber-attacks.
The criminal gains access to the authentic email account via social engineering or network intrusion. The request is generally submitted under the name of the CEO or president to the senior financial officer. The request can appear normal, as the hacker often knows the type of transfers made.
Top roles impersonated
In a survey performed by Trend Micro, a security company, over 60% of the roles impersonated are CEO or President.
Over 60% of the targets have been the Chief Financial Officer or similar financial title. A new variant is targeted to employees that have access to information on W-2s or other personal identification information. These targets are often in the human resources department or auditing.
Email subject lines tend to be simple and vague, such as:
- Request for [day/month/year]
- Transfer Request
What a business can do
One trend is that targeted businesses often use web-based free email services. At minimum, 2 factor authentication should be used to reduce risks. A stronger security measure is establishing employee email addresses on a company domain name hosted by a vendor with strong cyber security.
Another security measure is to use a phone verification method after receiving an email transfer request. Additionally, be suspicious if a vendor suddenly uses a personal email account when previous communications have been through the business’ email address. If something changes suddenly or seems suspicious, investigate before sending money.
If you think you have been a victim, do the following:
- Contact your financial institution and ask them to contact the recipient’s financial institution where the money was sent
- Contact your local FBI office
- Submit a complaint to IC3.gov regardless of the amount involved
- Talk with your insurance agent to see if this type of cyber-crime is covered
At the National Cybersecurity Institute at Excelsior College, we offer cybersecurity awareness training from small businesses and nonprofits. Learn how to secure business information, identify security threats and guard against potential hacker attacks.