Business email compromise (BEC) is becoming one of the most financially damaging crimes out there. Scammers rely on email being the most common means of communication.
One way a scammer “gets in” is by spoofing the email address of a trusted or known sender.
Here’s an example:
The scammer may send an email using the address stacy.goldsmith@abccompany.com to an employee of a company they plan to attack. That employee regularly communicates with a vendor who uses the email address stacey.goldsmith@abccompany.com. The scammer is depending on the receiver not noticing the slight difference in the email address and complying with the scammer’s request to update the bank routing and account number to receive a wire payment the receiver intends to send.
Next, scammers often rely on the assumed authority of executive management to spur the receiver of the email to bypass steps and procedures meant to protect the company from loss.
Here’s an example:
A purchasing employee of a company receives an email that appears to be from the CEO. The email states the employee needs to purchase 50 Visa gift cards of $100 each for end-of-year employee bonuses. The email further states the CEO is in a meeting and cannot be reached by phone but tells the employee to send all the gift card serial numbers to the CEO via email as soon as possible as the CEO plans to email them out personally to each employee this evening. The scammer is depending on the purchasing employee’s trust in the authority of the CEO to comply with the request.
Lastly, a scammer may use malware to get into a company’s network. The scammer then has access to email threads, financial data, and passwords. They may try to create a sense of urgency to encourage a receiver to act quickly and not take all steps necessary to prevent company fraud losses.
Here’s an example:
Unknown by the company, an employee clicked on a link within an email that appeared to be from a trusted source. This link installed malware. The scammer infiltrates an active email thread between the company and a vendor about a payment the company needs to send the vendor. The scammer takes over as “the vendor” and claims that the payment was never received and that it must be sent by wire before the end of business today or the goods will not be shipped. The receiver of the email doesn’t want to be responsible for not receiving an important shipment and sends funds via wire transfer using wire instructions provided by the scammer.
In all these instances, recovery of the lost funds is next to impossible.
How can you avoid being a victim to scammers like these? Consider the following:
- Consult with an information security firm to ensure the company’s network is secure and proper policies and procedures are in place to guide employees on protecting the company’s information.
- Train all employees on information security and anti-fraud best practices like:
- Never click on links from unsolicited emails.
- Be careful not to share information on social media that could reveal password or security question answers like high school name, mother’s maiden name, etc.
- Carefully examine the email address, URLs, and even the body text of emails for changes and inconsistencies.
- Require two-factor or multi-factor authentication for system logins.
- Ensure that all payment requests are VERBALLY verified by phone using publicly published/trusted phone numbers before sending any payments.
- Create a corporate culture that promotes adherence to policies and procedures.
For more information on how to protect your company from fraudulent attacks, contact First Mid’s Fraud Support team at 833-488-4723.
If you own a business and you would like protection from cyber risk, contact First Mid Insurance Group and ask for more information about Cyber Liability Insurance.
Resources
Business Email Compromise — FBI
