Business Email Compromise ("BEC") is a scam perpetrated by cyber criminals to attack businesses that first began to be tracked and reported by the FBI in 2013. BEC typically consists of phony or phishing emails that appear to originate from a company executive or member of a company's accounting or finance department containing fraudulent payment instructions with the objective to direct or redirect business funds to the cyber criminals. Cyber criminals are targeting all sizes of business, from small to publicly traded and any size in between.
Dramatic Increase in Losses - Illinois in Top 10!
In 2018, annual losses due to the BEC Scam more than doubled to $2.7 billion. According to the FBI, since 2015 these losses have increased more than 1,300 percent. As reported by the FBI in April 2019, Illinois made the “Top 10 States list” for both number of victims and total average loss by victims. Mimecast reported in its 2019 “State of Email Security” report that BEC attacks increased by 67% over last year, with 73% of victims incurring a direct loss.
What You Need to Know
BEC scammers are gaining sophistication in their tactics and techniques, which often monitor an intended target's email systems to hack accounts, limit detection and perfect the timing of their fraud to go unnoticed. These schemes are going on for longer periods of time with a substantial investment of time by the cyber criminals in order to ensure a successful crime and larger pay day. The FBI has noted that these cyber-criminal organizations are now employing linguists, lawyers, accountants and other professional service providers to infiltrate and implement their schemes. It is important to note that a traditional data breach is not necessary for a BEC scam occur. The scam is typically implemented in a combination of one or all of the tactics below:
- SPEAR-PHISHING: fake emails from a purported trusted sender seeking the disclosure of confidential information
- MALWARE: used to access business networks in order to gain access to legitimate e-mail threads about billing and invoices. Malware later leads to the spoofing of email accounts and theft of funds
- SPOOFING OF EMAIL ACCOUNTS AND WEBSITES: when a criminal sends an email that is a slight variation of a legitimate address (email@example.com vs. firstname.lastname@example.org) that fool victims into thinking fake accounts are authentic. The criminals then employ a spoofing tool to direct e-mail responses to a different account that they control. The victim thinks he is corresponding with a trusted person only later to find out that is not the case. Many times the criminal sends the spoofed email in the midst of an ongoing transaction and so the victim’s awareness is low thereby allowing the crime to occur
Here are some tips to implement internally that might help prevent, limit or mitigate the damage done by BEC:
- Alert each employee in the payment process chain that payments must be verified with unique measures
- Confirm any payment change requests verbally and in detail as to new account numbers from known parties
- Procure the right amount & type of cyber crime insurance
- Use contracts to limit liability
- Consider employee training for payment transactions
- Properly secure your email and IT systems from cyber-attacks and employee carelessness
- Send reminder emails to all business partners that any requests from your business to alter payment methods must be verbally confirmed with known contact
The above is not meant to be an exhaustive list of protective measures as each business is unique and may require additional considerations.
You should regularly consult the FBI and the Ic3 website for updates as well as your legal counsel for additional guidance. (https://www.fbi.gov/investigate/cyber and https://www.ic3.gov/)
Below is additional helpful information from the FBI’s website describing the BEC and the FBI’s recommendation.
Don’t Be a Victim
The business e-mail compromise scam has resulted in companies and organizations losing billions of dollars. But as sophisticated as the fraud is, there is an easy solution to thwart it: face-to-face or voice-to-voice communications. “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said Special Agent Martin Licciardo. “Don’t rely on e-mail alone.”
Here are other methods businesses have employed to safeguard against BEC:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com
- Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
- Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another
- Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary
If you are a victim
The FBI further advises that If a company has been victimized by a BEC scam, it’s vital to act quickly. These steps include:
- Contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent:
- Call the FBI, and
- File a complaint—regardless of dollar amount—with the FBI’s Internet Crime Complaint Center (IC3)
In addition to the above, we suggest that you also contact your legal counsel, which should be a simultaneous initial step when learning of the crime, as well as your insurance broker.
Are You Really Properly Insured?
What victims often time realize after it is too late is that either their coverage was woefully inadequate or there is no coverage at all. The hidden problem sometimes being not purchasing the right policy in the first place. This problem stems from cyber insurance still being a new area of insurance coverage with no standardization among cyber policies. Complicating factors include nuances in insurance contract language that may exclude coverage based upon inadequate security measures by the insured (e.g., improperly configured firewall), malicious employee acts and/or careless handling of information. Additionally, even when an adequate policy is purchased from the outset, it is vital for a business to periodically examine its risk exposure level in order to obtain coverages for the requisite amount.
How to secure your IT systems and lower insurance premiums at the same time
Businesses should also consider conducting periodic “Information Security Gap Analysis” of current email and IT systems in order to address and fix unknown weaknesses. Such cybersecurity analyses not only protect your business but providing such cybersecurity assurances or developing a cybersecurity assurance program may reduce your insurance premiums.
Do your contracts protect you?
Although there is no silver bullet to protect against a BEC Scam, there are ways to account for those unfortunate scenarios in your contracts with vendors and service providers, which may limit your exposure or shift liability to third parties. With the BEC Scam in mind, businesses should consider including provisions that provide assurances concerning your contracting partner’s network security and payment systems. Careful attention should also be paid to “limitation of liability” and “indemnification” terms as well as terms governing your business partner’s insurance requirements, including, but not limited to, whether or not your business should be added as an “additional insured” to your partner’s insurance policy. These are not all the considerations to keep in mind and each contract should be examined on a case-by-case basis in light of the business relationship between the parties.
For further information and/or to discuss any of the above, please do not hesitate to reach out to a member of HMB’s Technology Team.