What to Do: Implement very strong controls on wire transfers
Assume all email or fax requests from a vendor to change bank accounts are fraudulent. Assume all email or fax requests from the company President or others are fraudulent. Assume all email or fax requests to set-up a new vendor are fraudulent. Pick up the phone, call the party in question and verify the request is legitimate.
If you discover you are a Business Email Compromise victim, immediately contact the FBI’s Southern California Cyber Fraud unit at firstname.lastname@example.org. They have established banking relationships and are often able to recover funds if they are notified within 72 hours.
And talk to your banker. Make sure they have your back.
It’s also a good idea to check with your insurance broker to ensure that business email compromise losses are covered.
Not too long ago, email scams were relatively easy to detect. They were often from unknown contacts and referenced bank or credit card information which was clearly incorrect. Sometimes, the emails would simply contain a link. As time has passed, fraudulent attempts to gain control of your online banking, your critical information, and your identity have become more skillful and harder to spot. These days’ emails often appear to come from recognized accounts, are well written, and–at least at first glance–seem legitimate.
The newest — and one of the costliest — in a long line of fraudulent e-mail scams is “Business E-Mail Compromise” (BEC).
Business Email Compromise (BEC) is a very sophisticated attempt to induce a business to willingly hand over their money to a cybercriminal. In Business Email Compromise (BEC), crooks spoof communications from executives or vendors at the victim firm in a bid to initiate unauthorized wire transfers.
According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. Business Email Compromise cost Ubiquiti Networks $46 million.
Collectively, Business Email Compromise has resulted in actual and attempted losses of over a billion dollars worldwide. The FBI reports, “…since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad.”
BECs can target businesses working with foreign suppliers or regularly performing wire transfer payments, although they have also targeted some that do not strictly fit this criterion. In order to solicit unauthorized transfers of funds, the scams compromise legitimate business e-mail accounts through social engineering or computer intrusion techniques. Prior to making contact, the scammers learn enough about their target to create emails that use language specific to the company and request wire transfers that seem legitimate.
For more information on BECs, see https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise and http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/