Business email compromise (BEC) is the fastest growing type of social engineering fraud. A broad category of scams in which perpetrators impersonate a trusted party to manipulate their victims into giving away either funds or valuable information willingly. This deceptive form of theft is also known as phishing.
Though this risk is not new, it is evolving. Here are three trends amplifying the threat of BEC, and how businesses can better protect themselves from loss:
- Stressed out, remote workforces make easier targets
According to the Anti-Phishing Working Group (APWG), BEC scams doubled in 2020 compared to 2019. Insurers have undoubtedly seen a spike in claims since the beginning of the COVID-19 pandemic, which has exacerbated vulnerabilities in companies’ defenses.
With most employees working from home, employers lose some control over security. People have a tendency to utilize home networks and devices as workarounds to IT issues that arise in their employer’s internal system. That provides new avenues through which fraudsters can reach their targets, with less chance of being caught in company filters.
Additionally, employees are dealing with new levels of stress, balancing full-time work with homeschooling, childcare and in some cases eldercare, on top of fears over becoming infected with the virus itself. When people are under pressure, they’re more likely to give in to urgent demands coming from a presumably important vendor or business partner.
Fraudsters are capitalizing on the stress, uncertainty and occasional cyber security lapses of the past year, growing bolder in their tactics and demands.
- Fraudsters are growing bolder and applying more pressure
In the classic BEC scenario, the thief poses as a vendor needing to update their banking information and requesting that future payments be sent to the new (fraudulent) account number. But businesses have grown wise to this plot, and perpetrators adapted by developing new ploys.
One emerging tactic involves the combination of a fraudulent email with a fraudulent phone call. The schemers may still pose as a vendor or other business partner, demanding an urgent payment. They then follow up immediately with a phone call, pretending to be a lawyer involved in the transaction.
They may drop the name of the CFO or another senior manager.
People get flustered. Scammers know if they apply pressure, their target is more likely to do what they want them to do. Fearing that they’ve dropped the ball and wanting to avoid trouble, employees may make large transfers under these circumstances without verifying them.
Recently, fraudsters have also ironically posed as cyber security firms, hired by the recipient’s employer to strengthen defenses against the exact type of crime they are about to commit. By fashioning themselves as protectors offering a service rather than requesting a payment, they more easily gain employees’ trust – and access to their machines.
Once the fraudster gains access to a single computer, they can easily work their way through the target company’s internal network to obtain the information they need to re-direct funds transfers or shipments of goods.
- Facing little risk of retribution, scammers are making off with larger sums
Latest figures from the U.S. Internet Crime Complaint Center reflect more than $1.7 billion in losses from BEC in 2019 alone, accounting for half of all losses from every type of cyber attack. According to APWG, “BEC attacks that sought wire transfers from victim companies sought an average of $75,000 – a 56% increase from $48,000 in the third quarter of 2020.”
But some scams have cost companies tens of millions. In one well-publicized case, an employee at a major auto manufacturer followed instructions to wire $37 million to a third party, only to discover shortly after that the request was fraudulent.
Once funds leave the coffers, it can be next to impossible to recover them. Perpetrators are clever. They utilize banks in countries where corruption is rampant; countries that don’t do business with the U.S. Because the transfer is made willingly, there is little chance of regaining monies once in the possession of those foreign banks.
For public companies, large losses can have other negative downstream effects, including a degraded stock price, and the subsequent potential for shareholder lawsuits.
How to protect yourself from Business Email Compromise
A few basic checks and balances can help companies reduce their vulnerability to Business Email Compromise scams. Best practices include:
Verify third-party requests for bank account changes by calling the requester back using a number on file — not the number provided in the email.
Requests for wire transfers that come from an unusual channel or ask for large sums should always be checked with senior management. It is unlikely that any business truly needs millions of dollars transferred to them immediately – despite threatening calls from “lawyers.” Follow protocol to verify these requests.
Learn to identify red flags in fraudulent emails. Often, scammers copy a vendor’s email address almost exactly, expect for an errant punctuation mark or extra letter. Hover your mouse over the email address and ensure every character exactly matches the contact information on file. Grammar or punctuation errors, a tone that doesn’t quite fit with the vendor’s usual communication style, and urgent language can also indicate a phony email.
Reinforce employee training with regular phishing tests. Employees may become fatigued by hearing the same tips repeatedly and can eventually become lax, especially while working remotely. Regular tests can evaluate whether additional training is needed and reminds employees to stay vigilant.
Ensure your commercial crime policy includes a specific endorsement for social engineering fraud. A standard crime or theft policy was never intended to include social engineering and coverage may not be triggered in scenarios where funds were given away willingly.
(Image credit – Interpol)
(This article is written by Greg Bangs, SVP, Crime Regional Leader – North America, AXA XL. The views expressed in this article are of the author.)