Business Email Compromise: A Deceptive Threat to your Business

Eric J. Nabozny, Commercial Market Manager, First Financial Bank

With the recent Equifax Data Breach, our minds instantly turn to how we can better protect our personal information and the information of our business.  As important as these data breach threats are, as seen in the rampant media coverage to expose these threats, there is another equally pervasive threat to our businesses that often goes unnoticed and unreported.  This threat is known as “Business Email Compromise.”

Business Email Compromise (BEC), as defined by the FBI, is a sophisticated scam targeting businesses that work with foreign suppliers and/or businesses that send wire transfers regularly.  These attacks can take the form of an internal business email account that has been compromised via malware or more often by using a technique called “spoofing.”  Spoofing is an attack that leverages social engineering and deception to trick the recipient of a spoofed email into believing the sender is legitimate.  A spoofed email address is created to look like the legitimate email address, however, only a letter is omitted or deliberately transposed to confuse the recipient.

BEC has recently become one of the fastest growing crimes in the world of business payment fraud and one of the most profitable modes of fraud leveraged by organized crime today.  Cumulatively from October 2013 to December 2016, the FBI has recorded more than 40,000 incidents and more than $5.3 billion in losses!

Deception is the primary tool of BEC.  This deception, typically orchestrated by foreign crime rings, is a highly sophisticated operation that involves weeks and months “researching” the business to target.  These fraudsters learn who your vendors are, what billing systems you use, and your CEO’s work habits and even travel schedule through compromised legitimate business email accounts, malware-infected computers, or social engineering.  When the timing is right, usually when a Senior Executive is traveling, a spoofed email will be sent to accounting requesting an urgent payment be made to “vendor,” “investor,” or other similar legitimate sounding transaction on the executive’s behalf.  Oftentimes, the recipient only wants to be helpful and assist in what appears to be a very important request.  They have been provided just enough valid information to believe the request is real.  Cyber criminals count on their target not taking the time to verify the e-mail. 

No business is immune to such attacks, so a business process plan and response plan is critical to preventing and responding to a BEC attack.  Here are just a few steps your business can take now to address this rapidly expanding threat:

  • Dual Control for Payments:  Any transaction created by your business should always require at least two individuals’ approval to send.  Between internally implemented procedures and online banking controls available to your business, this simple process can be the main line of defense to prevent you from falling victim.
  • Communication and Education:  Establish policies that communicate how any and all payments are to be processed and no payment instructions can ever be accepted via email.  Also, communicate the importance of awareness regarding any communication with outside parties to your business. Whether via phone or email, educate your staff to scrutinize and ask questions regarding the origin of a request.  Making this part of everyone’s daily routine lets the criminal know that this target might be difficult to penetrate and they’ll move on to the next target.
  • Incident Response Plan:  Work with your Executive Teams, Communications, and Legal Counsel to formulate a business plan to respond swiftly and appropriately to an attack.  Oftentimes, a documented and rehearsed game plan can help your business stop a funds transfer or possibly recover funds before it’s too late!
  • Verify billing changes:  Require secondary approval directly from vendors and suppliers for any billing changes.
  • Email Authentication:  Work with your technology partners to implement intrusion detection systems within your email system.
  • Scrutinize Emails:  Proceed cautiously with emails you receive from Senior Executives requesting unusual information.

You can stop BEC attacks.  One of the best controls you can implement is simply to contact senders directly to confirm the authenticity of suspicious emails you receive, either face-to-face or over the phone.  Though more time consuming, a well-planned and communicated strategy for handling suspicious email will greatly reduce the likelihood of your company being compromised and strengthen your BEC defenses.

Business Email Compromise won’t be the theme of the next big-budget action movie, but make no mistake; criminals have realized the “big-budget” potential for BEC attacks.  As these criminals work to continually improve their technology and techniques, your business needs to keep pace with improved security procedures and develop plans to heighten your organization’s awareness to these threats.   Making simple changes today to protect your business will pay dividends tomorrow, next month, and two years from now when your business is their next target.