FBI Warns About Unprecedented Rise of Targeted Email (BEC) Scams
A new rash of socially engineered security threats are using emails to trick victims into sending money to attackers by posing as vendors, clients or anyone you might know asking for payment for an invoice via wire transfer.
The FBI has dubbed these attacks “Business Email Compromise” (BEC) scams. According to the FBI, BEC scams have been running since 2013 and have affected users from over 80 countries worldwide. In the US alone, 7,000 businesses have reported a total of $747 million in losses.
“For victims reporting a monetary loss to the IC3, the average individual loss is about $6,000,” said Ellen Oliveto, an FBI analyst assigned to the center. “The average loss to BEC victims is $130,000.”
While there are solutions to prevent such emails from reaching your company, they’re not 100% foolproof. For this reason, use the below recommendations to ensure your company does not fall victim to this crime.
Here are some recommendations:
Ensure employees within the company are aware of these targeted attacks as well as your organization’s processes for dealing with and paying approved vendors. The BEC scam has seen an unprecedented rise since the beginning of 2015, increasing 270%.
“They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us,” says the FBI.
In some cases, scammers have even used malware to steal account credentials and gain access to private company information to use within their communication increasing the legitimacy of their requests and averting suspicion. For example, they may send emails that appear to come from a colleague, typically within the accounting department, a vendor or supplier asking victims to complete a wire payment transaction to settle an invoice.
Lastly, social engineering attacks are not limited to email. We have documented cases of phishing attacks over the phone with both automated systems and real people on the line asking for account numbers!
Transactions and conversations often take place over email, so using a solid, secure business email solution, like MS Exchange Server or Office 365, is a great first step. In addition, using a multi-factor authentication system and enabling standard email authentication, such as a sender policy framework (SPF), which most mail servers support, will help protect your email environment.
Anti-spam systems are not just for “junk” mail. Most spam solutions use real-time attack information and other dynamic, intelligent systems to identify and quarantine possible threats, such as BEC attacks.
In addition, consider implementing outbound email filtering to prevent sensitive financial information, such as bank account numbers, from being sent outside of the company.
Establish a system of checks and balances that enable employees to authenticate and validate payable requests. Things such as requiring multiple approvals for wire transfers, stricter controls over changes in vendor or supplier payment details, and using additional forms of verification (such as voice calls or physical documentation) will help ensure that you are conducting a legitimate transaction.
The FBI’s Advice
1.Verify changes in vendor payment location and confirm requests for transfer of funds.
2.Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
3.Be careful when posting financial and personnel information to social media and company websites.
4.Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
5.Consider financial security procedures that include a two-step verification process for wire transfer payments.
6.Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
7.If possible, register all Internet domains that are slightly different than the actual company domain.
8.Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes. Learn more by reading the FBI’s Public Service Announcement on BEC