Cyber Crime: Business Email Compromise

suspicous email linkCyber Criminals are always looking for new ways to steal your information. The FBI warns the latest scheme criminals are employing is Business Email Compromise (BEC).

Business Email Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Technical Details

The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.

It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

Threat

Most of these BEC incidents involved the compromise of an email account belonging to a CEO/CFO and the subsequent use of that account to email wire transfer instructions to an employee with the ability to conduct wire transfers.

The FBI tracked a total of 44 fraudulent wire transfers provided through victim reporting that occurred as a result of BEC between 9 December 2015 and 9 March 2016 totaling $75,657,487. The wire transfers averaged approximately $1.7 million, and the largest attempted wire transfer was over $19.8 million.

Defense

The following precautionary measures as provided by the FBI’s IC3 may help prevent falling victim to BEC schemes.  Though these steps are aimed at enhancing your security there is no 100% guarantee that they will protect you from BEC:

  • Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Be careful what is posted to social media and company websites, especially employee names and email addresses, job duties/descriptions, hierarchical information, and out of office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures especially for any kind of financial transaction , including the implementation of a 2-step verification process. For example –
    • Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the
      relationship and outside the e-mail environment to avoid interception by a hacker.
    • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts.
    • Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often
      contain malware that will give subjects access to your computer system.
    • Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the
      e-mail address book to ensure the intended recipient’s correct e-mail address is used.
    • Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a
      compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).

What To Do If You Are a Victim

If funds are transferred to a criminal account, it is important to act quickly:

  • Contact your financial institution immediately upon discovering the fraudulent transfer.
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local FBI office. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network (FinCEN), might be able to help return or freeze the funds.
  • File a complaint, regardless of dollar loss, with www.bec.ic3.gov

-The information provided is from the FBI’s Internet Crime Complaint Center (IC3)