Business Email Compromise- Don’t Become a Victim

Written by Geri Meraz, Director of FIU | 10/11/22 4:15 PM

 

Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and/or have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through key loggers or phishing attacks to do fraudulent transfers. Once funds are wired, there is little chance of recovering funds, resulting in hundreds of thousands of dollars in losses.

BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate a CEO or any executive authorized to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations.

Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. Based on reports received by the FBI, there are 5 types of BEC scams:

  1. CEO/Executive Fraud- Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
  2. The Bogus Invoice Scheme- Many business email compromise attacks impersonate an organization’s suppliers, using emails that include fake invoices or changes in banking information that divert payments into an account set up by the attacker. As with executive impersonations, these attacks often exploit existing relationships in order to look more convincing. For example, attackers may set up domains or create web pages that are similar to those of real suppliers, in addition to forging invoices or other business documents.
  3. Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
  4. Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters.  Normally, such bogus requests are done through email or phone, and during the end of the business day.
  5. Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.

Awareness and training are the best steps toward preventing an attack on your business. Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises spot this type of scam.

Some tips and best practices to defend against Business Email Compromise scams include: 

  • Carefully analyze all emails, especially wire transfer requests and out of the ordinary requests from executives. Be especially wary if the requestor is pressing you to act quickly.
  • Attackers use a variety of techniques to create email messages look convincing. They may register internet domain names that closely resemble the names of their target organization or trusted suppliers, then send phishing emails from those domains. 
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust. Closely check the sender email address—often times the spoofed email will be one letter off. Hover over the email address to see if the address pop-up displayed matches the address shown.
  • Always thoroughly verify the updated account information provided via phone at a known and valid vendor contact, even if you often correspond via email with your vendor. Confirm any request via telephone from a known number for that vendor or other wire beneficiary, not the one provided in the email request. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
  • Implement additional verification steps in payment-related processes such as requests for wire transfers or to change bank account information. Verify any changes in vendor payment by using a secondary sign-off by company personnel trained to look for the above noted changes in information received and verify PRIOR to sending the wire. 

How to Report 

If you or your company fall victim to a BEC scam, it’s important to act quickly:

  • Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
  • Call your home branch of First Foundation Bank or customer service at 888-405-4FFB (4332). 
  • Please supply the email communications leading up to and including the receipt of the fraudulent payment beneficiary instructions.
  • Immediately update email passwords for the affected email(s) and also enlist an IT professional to assist in making sure the threat has been fully addressed. Passwords should be robust, containing letters, numbers, and special characters when possible.
  • Also file a complaint with the FBI’s Internet Crime Complaint Center (IC3). Have every detail about the transaction handy; you will need it to file the complaint. The IC3 will then issue you a complaint number. This is important because you will be asked for this number when you call your local FBI field office. You can file a complaint at https://www.ic3.gov/Home/BEC. 
  • Contact your local FBI field office to report the crime. Ask for a special agent that processes financial or cybercrimes. They will ask for the IC3 complaint number.
  • File a police report with your local Police Department. Every bit of information you provided to the FBI also needs to go to the police. Make sure all the authorities have good contact information for you.