What is it?
Business Email compromise (BEC) is a scam that begins with a thief either gaining direct access to a CEO/executives email account through a phishing attack, OR by creating an email account that very closely resembles that of the CEO/executive’s business or personal email address. Often, the thief then sends an email to another employee at the same company, from either the CEO/executive’s hacked email account or the fictitious email address the thief created. The email requests that the employee, customer, or vendor transfer funds or sensitive information to the criminal.
Between December 2016 and May 2018 there has been a 136% increase in BEC incidents. The average loss in a typical BEC attack is $130,000.
According to the Internet Crime Complaint Center (IC3) from October 2013 to May 2016 the total number of U.S. victims is 14,032 and the total U.S. exposed dollar loss was $960,708,616. As of May 2018 these numbers have jumped to 41,058 U.S. victims and $2,900,000,000 in U.S. exposed dollar losses.
How does it work?
For example, the controller for ABC Company receives an email from what appears to be the CEO’s business email address—email@example.com. But if you look closely, the hacker has spoofed the address and the email is actually coming from firstname.lastname@example.org (a zero replaces the ‘o’ in company). The request may include specific wire transfer instructions to pay an individual or vendor and often come with a strong urgency to complete the transaction as soon as possible. To the controller, the email and wire instructions look legitimate so the payment is made. It may be several days or weeks until it is discovered that either the individual or vendor didn’t exist or that payment was made to an account that was not your vendor’s. When discovered, it becomes a very expensive lesson in cybersecurity.
What are some steps you can take to protect yourself?
To help combat these attacks, a multi-layered approach should be used to protect the integrity of your network based email communication. You should always have the following practices in place:
- Train your employees
- Authenticate payment requests
- Confirm any changes in vendor payment instructions
- Implement internal dual control on any type of funds transfer payment