The FBI has reported a 2,370% increase in business email compromise (BEC) between January 2015 and December 2016. This type of fraud includes what we at BrandProtect refer as email phishing, spear phishing, or whaling.
The scam, commonly known as “CEO fraud”, is a highly engineered attack that will typically target high-level executives by impersonating them to trick people inside the organization to provide sensitive information and ultimately making the victim wire money to a fraudulent account.
Cybercriminals will also use other techniques such as:
- Supplier or Attorney Impersonation: A vast quantity of small and large businesses with suppliers are subject to become a victim of a whaling attack. The criminals will simply claim they’re representing the company or act as an attorney and request urgent confidential information through a phone call or a well-crafted email. This year, Facebook and Google was hit with $100M BEC scam were the cyber crook impersonated an Asian supplier in order to fiddle the money from them.
- Email Account Compromise: An employee account will be hacked in this scenario (normally CFO or someone that is responsible for authorizing or requesting payments) allowing the cyber crooks to send emails asking to pay an invoice and to make wire transfers to a bank account for any reason. Remember, this type of system invasion is different from normal phishing scams, emails are not sent in mass in order to avoid being marked as spam and typically do not contain malicious links or attachments. This makes the attack harder to detect using traditional security measures.
Detect and Protect
Criminals will use sophisticated techniques to trick people into thinking the email accounts and websites are legitimate therefore it’s important to always be alert. Train your employees to detect fraudulent emails and advise them to verify the authenticity of the supplier or a payment request by making a phone call.
Type of red flags to look for:
- The sender’s domain: Fraudsters will use domains similar to the company they’re trying to target.Sometimes it won’t be obvious, they’ll make slight spelling changes, for example, if the email is firstname.lastname@example.org they’ll use email@example.com or firstname.lastname@example.org.
- Urgent email requests or bank transfer enquiries: Typically the criminals will send emails at the end of the day, when people are ready to leave and can get easily tricked due to the urgency of the request with subjects like: “Immediate Wire Transfer”
- Email message: The purpose of the scammers is to persuade the person to execute their request as soon as possible. Pay close attention to emails asking to transfer money to different bank account in an urgent manner.
Just recently, a Canadian University was victim of an $ 11.8 million email scam: cyber criminals impersonated a legitimate vendor and deceived the staff into changing the banking information and make the payments to the new account. After this incident, the university has developed a multi-level authentication and increased their cyber security controls. Don’t wait until it’s too late, always double check the source before sending money or data.
If you believe your business has been subject of fraud or a victim of a BEC scam contact authorities immediately and file a complaint.