Nothing seemed out of the ordinary by Nicholas Economidis
Nothing seemed out of the ordinary
The email looked familiar, and the request to transfer funds was a little out of the ordinary, but not that different from the normal course of business. Except, the email only lookedfamiliar and the transfer request was actually criminal and now the money is gone, never to return. The sense of familiarity is what criminals depend on to execute the increasingly common crime social engineering scam known as ““business email compromise” (BEC) and organizations of all types are vulnerable.
Although it doesn’t sound especially dangerous, BEC is costing business big money. Over the last 18 months, starting in January 2015, there has been a 1,300% increase in identified losses with total losses of $960,708,616 in U.S. alone, according to the FBI. But, businesses can reduce their vulnerability to this rapidly proliferating tactic by informing their employees about warning signs that indicate something may be amiss.
Here’s how it happens – Criminals posing as either a high-level executive or a vendor, request an urgent wire transfer or request changes to standing wire transfer instructions. The requests come from somebody who the recipient thinks is part of their company, and feeds on an employee’s desire to be perceived as responsive, efficient and valuable. It all seems so normal, but once you know the signs to look for its possible to stop these attack before they happen.
The two most common scenarios
Email spoofing – The CFO (or another executive that typically requests and carries out wire transfers) receives an email that appears to be from the CEO requesting a wire transfer for a time-sensitive, confidential transaction. This would all be fine expect, its not actually the CEO emailing. And it’s likely that their might be something unusual about the email address if you looked close enough.
Compromised email – Here the criminals are able to take control of a legitimate business email account. Attackers using a legitimate email account then ask for a transfer and depend on the CFO to execute the actual request. However, there was likely something unusual about the request itself, either the amounts were out of the ordinary or the language used is different than you would expect.
Other common types of BEC, according to the FBI, include emails that appear to be from a regular vendor changing payment instructions, criminals hacking an employee’s personal email, identifying vendor contacts and requesting invoice payments and fraudsters pretending to be associated with a law firm and requesting funds.
How can you help prevent fraudulent instruction emails?
Criminals will always look to exploit the most vulnerable area, or individual, in a business with a business email compromise fraud. While there are no enterprise wide systems that will completely prevent these types of schemes, there are steps organizations can take to help protect themselves:
- Train your employees about “phishing.” Fraudsters often use phishing attacks to gain access to network credentials or other information in order to make a scam more convincing. For example, thieves will use phishing scams to gain access to email credentials, and then send emails from the victims account to entice others to take actions.
- Encourage employees to be skeptical of any request that seems out of the ordinary, and to report anything that looks unusual to a supervisor.
- Instruct employees to check email domains names on incoming email very carefully. Criminals might send an email from “beazle.y.com” which looks familiar at first glance, but is not the same as “beazley.com”
- Implement an “out-of-band” authentication procedure for requests for payments or requests to change bank or payment information. If you receive a request via email, confirm the request over the phone with the vendor or payee and confirm any requests for wire transfers over the phone.
- If an organization frequently receives requests for wire transfers by email and cannot implement a call-to-confirm system, they should be wary of any requests to change bank information by regular vendors. If a regular vendor requests that the company change their bank information, the company should call to confirm, using a number they know for the vendor.
The FBI reports that some organizations are employing additional preventative tactics:
- Creating intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com. This will prevent employees receiving email from bad actors attempting to look like legitimate inter-company email.
- Register all company domains that are slightly different than the actual company domain. Again, this will help prevent bad actors from using email domains that users may mistake for legitimate company email.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
Beazley has helped clients handle more than 4,000 data breaches since the launch of Beazley Breach Response in 2009 and is the only insurer with a dedicated in-house team focusing exclusively on helping clients handle data breaches. Beazley’s BBR Services team coordinates the expert forensic, legal, notification and credit monitoring services that clients need to satisfy all legal requirements and maintain customer confidence. In addition to coordinating data breach response, BBR Services maintains and develops Beazley’s suite of risk management services, designed to minimize the risk of a data breach occurring.
Read the Beazley Breach Insights – July 2016 report.