Business Email Compromise: A Growing Threat to American Businesses

As technology advances, threats related to cybersecurity grow. According to the FBI, as of 2017 there have been 15,690 recorded reports of business related email compromise (BEC). This growing problem has cost American businesses $675 million, not to mention the security violations these compromises have caused. This is an alarming increase from 2016’s total of $360 million.

BEC is a type of data breach in which an assailant acquires access to a CEO’s or finance officer’s corporate email account and uses it to defraud the company, its employees, or its customers. Main targets for BEC are businesses that frequently handle wire transfers. Both large and small business are at risk from criminals looking for a way to extort hard-earned money. If you use email, you can be exposed to BEC. No company is immune, no matter how large or tech-savvy.

A successful BEC doesn’t happen overnight. It’s a long process involving constant surveillance of the targeted business in order to gain the information needed to siphon thousands of dollars from the target. The process usually involves seemingly-legitimate emails appearing to come from trusted individuals, requesting a wire transfer or other transaction.

In 2015, an executive employed at The Scoular Co. received what looked like an email from the company’s CEO ordering him to wire a total of $17.2 million in 3 installments to a bank in China. These orders were later discovered to be fraudulent and to have originated from services providers in Germany, France, and Israel. The FBI has attempted to recover the money, but no immediate relief is in sight for the company: the bank account into which the money was deposited had been cleaned out.

Having several different ways to authenticate money transfers could save a business thousands of dollars. This is why multi-factor authentication (MFA) is now becoming the norm. This extra layer of security serves to protect individuals and organizations. MFA is a security system that requires more than one means of authentication to gain access to accounts. Different types of MFA include passwords, PINs, one-time passcodes on smartphones, and biometrics like fingerprints.

BEC preventative measures:

  • Stay up-to-date as technology continues to develop.
  • Use multi-factor authentication.
  • Develop a policy for recognizing/reporting BEC and related phishing scams.
  • Confirm the identity and authority of email senders who request transactions through another non-email channel.

What victims should do about BEC:

  • Report to your financial institution immediately.
  • Contact your local FBI office.
  • File a complaint with gov and include:
  • IP and/or email addresses attached to the fraudulent email
  • Date/time of incident

Copies of fraudulent invoices, emails, letterhead, or other documents

IACP Conference

Tags