How to Recognize and Prevent Business Email Compromise Scams
Just before Christmas last year, a San Francisco-based non-profit called One Treasure Island began receiving email invoices from a partner organization for funding related to a housing project for the city’s homeless population. After several transfers totaling $650,000,officials discovered they were being scammed — hackers had stolen a legitimate invoice and changed the bank routing number to an account they controlled.
It is one of the nastier examples of an increasingly common type of fraud known as business email compromise. BEC attacks are wire-transfer schemes that use spoofed emails to target employees who manage money and regularly perform wire transfer payments. Scammers typically assume the identity of a company executive, partner or vendor to request electronic wire transfers of funds.
Law enforcement officials and security analysts say BEC attacks increased dramatically when organizations shifted to remote operations and became accustomed to conducting a good deal of business by email. According to the 2021 Business Email Security Landscape Report from GreatHorn, 71 percent of organizations acknowledged they had experienced at least one BEC attack over the past year. Another report from Proofpoint estimates that such schemes collected more than $12 billion from companies worldwide in 2020 — a 1,300 percent increase year over year.
The FBI says there are several types BEC attacks, which are sometimes known as pretexting or executive fraud. The five most-common variations include:
- Bogus invoice schemes. Fraudsters use spoofed emails, faxes or even phone calls to request invoice payments or fund transfers to a fraudulent account they control.
- Account compromise. Attackers gain access to a company email account and use it to request invoice payments, often from multiple vendors listed in the victim's email contacts.
- Executive fraud. Attackers posing as the CEO or another high-level executive ask an employee to transfer funds or forward sensitive information. Fraudsters count on the fact that most people want to do whatever they can to earn the approval of the boss.
- Attorney impersonation. Attackers impersonate an attorney claiming to be handling something of a critical and confidential nature that requires a quick transfer of funds or information.
- Data theft. In this type of attack, employees are contacted by the threat actors, frequently in payroll or human resources, in an effort to steal credentials and other sensitive information that can be used for additional attacks
The availability of personal and company information online can make it easier for some scammers to impersonate people in positions of authority. That's why the FBI says we must all be more careful about what information we post online or on social media. Sharing things like pet names, birthdays and links to family members can help scammers gain an air of authenticity.
Here are some additional steps organizations should take to limit their risk from BEC scams:
- Educate. Everyone should understand hackers' tactics. Red flags include requests for "rush" payments duet to some impending deadline, intimidation tactics, excessive flattery, or claims that the request has been approved by a higher authority. Executives must understand that email requests for funds are strongly discouraged and will require verification.
- Verify. Employees who manage money should never fulfill email requests for wire transfers without verifying the identity of the person requesting funds. This should be done through a different communication channel, ideally by phone or in person.
- Authenticate. Implement email authentication with DMARC (Domain Message Authentication Reporting and Conformance). This protocol is specifically aimed at identifying spoofed email messages and notifying email servers to delete those messages upon request - thus keeping them out of inboxes and preventing their propagation.
- Report. Contact your financial institution immediately if you believe you are the victim of a wire-transfer fraud. Ask you institution to immediately contact the corresponding institution where the transfer was sent. Report the incident to the local FBI office, which may be able to freeze the funds.