The year 2020 will forever be remembered as the year of the COVID-19 pandemic. The global impact was unlike anything seen in recent history, and the virus permeated every aspect of life, including cybercriminals who took advantage of the opportunity to exploit the pandemic by targeting companies via Business Email Compromise.
According to the FBI's Internet Crime Complaint Center, the number of cyber complaints reported in 2020 increased by 69% from 2019 and Business Email Compromise (BEC) programs continued to be the most expensive with an adjusted loss of over $ 1.8 billion by 2020.
Cybercriminals continue to become more sophisticated and use a wide range of tactics to attack their victims, and unfortunately the BEC system is a tactic that has increased in frequency and complexity in recent years.
Simply put, a BEC scam involves a cybercriminal pretending to be a seemingly legitimate source ̵
BEC fraud can lead to many consequences within your organization — including stolen data, financial difficulties, and potentially serious reputational damage. Nevertheless, these scams can be deterred by various cyber security techniques. Read this guide to learn more about what BEC scams are and the best steps your organization can take to prevent such scams.
Compromise fraud for corporate e-mails
Essentially, BEC frauds consist of cybercriminals posing as an individual or entity within their target trusted network for malicious profits. These scams are categorized as a form of social technology – referring to a broader cyberattack – method that loses important human behaviors (e.g., confidence in authority, fear of conflict, and promises of rewards) in order to gain unauthorized access to organizational systems, funds, or data.
Cybercriminals who commit BEC scams often use these socio-technical strategies:
- Creates confusing variations – To convince their targets that they are a reliable source, cybercriminals can create email addresses that are almost identical to the source they pretends to, with the exception of a few characters (for example, to change the e-mail address "email@example.com" to "firstname.lastname@example.org").
- Using Spear-Phishing Techniques -Cybercriminals can engage in phishing by conducting further research on their targets and using any additional details they discover to further motivate victims to believe in their false identities. In phishing, cybercriminals often appear as sources that are more directly linked to their goals (eg a close colleague or department head).
- Distributing Malicious Code – When sending fraudulent emails in BEC scams, cybercriminals can encourage their targets to download malicious attachments or click on misleading links in an attempt to launch malicious software – also known as malicious code. Once activated, this software can help cybercriminals more easily access their victims' systems, resources and data.
According to the FBI, there are several types of BEC fraud, including the following:
- False Invoice Schedule to a fake account. employee or executives and requests that their victims make a bank transfer to a fake account. The request is often demanding, threatening the victim with work-related consequences or other penalties for failure to comply.
- Counter-compromise -In this scam tactic, a cybercriminal hacks into an employee's or executive's actual email account and distributes messages to various contacts – attempts to trick these recipients into paying fraudulent invoices.
- Mentioned by a lawyer – This scam refers to a cybercriminal who imitates a lawyer or other legal representative and requests that a payment be made to a false account in order to deal with an organizational issue that is considered "sensitive" or " pressing. "
- Data theft – In such a scam, a cybercriminal imitates an HR professional to deceive his target to share personal information about employees or managers. Cybercrime can then exploit this sensitive data during future attacks.
Prevent Email Fraud Fraud
Every employee can be the target of a BEC fraud, which puts the security and financial stability of your entire organization at risk. Be sure to implement the following cyber security measures to deter BEC fraud:
- Train your employees. Minimizing losses from BEC scams begins with educating your employees on how to detect and prevent such cases. Equip your staff with these best practices:
- Refrain from sharing personal or work-related information on social media platforms, as cybercriminals may use this information to initiate a BEC scam.
- Avoid opening or replying to emails from people or organizations you do not know. If an email claims to come from a trusted source, be sure to verify their identity by double-checking the address.
- Be careful with emails that do not fit, contain spelling and grammar errors, request sensitive details, or use threatening language. Do not disclose financial information via email.
- Never click on suspicious links in emails. Similarly, avoid downloading e-mail attachments from unknown sources.
- If you suspect a BEC fraud, contact your manager or IT department immediately for further guidance.
- Implement efficient payment protocols. Having secure payment procedures within your organization can help stop BEC fraud before any money is lost. As such, you instruct employees who manage your organization's financial operations to carefully analyze invoices and money transfer requests to ensure their validity. If possible, these requests should be discussed in person before proceeding – especially if they involve alternative payment procedures or changes to account numbers. Also, consider using multiple verification methods to verify payment requests.
- Restrict access to sensitive data. Give employees access to sensitive organizational data only if they are trusted, experienced, and require such information to perform their duties. Protect this data with access controls and multifactor verification measures.
- Use safety features. Ensure that all organizational units have adequate security features to deter BEC fraud – including access to a virtual private network, antivirus and malware prevention programs, e-mail spam filters, data encryption features, and a firewall. Update these security features as needed.
- Have a plan . Finally, make sure your organization has an effective response response plan. This plan should specifically address response protocols and mitigation measures for BEC fraud. In particular, your organization should plan to contact your financial institution as soon as a BEC fraud occurs to determine if funds have been stolen from your account. If money has been taken, the account should be temporarily frozen to prevent further theft. In addition to consulting your financial institution, your organization should also report BEC fraud to your local FBI field office and log such fraud with the Internet Crime Complaint Center.
Do not let Business Email Compromise scams – or any form of cyber exposure – threaten your business.
Contact CoverLink Insurance today to learn more about available cyber policies and effective risk management techniques to protect your organization from fraud via email compromise.