Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.
Known by several names, including BEC (business email compromise) or EAC ( email account compromise) or CEO email fraud, these schemes have cost more than 5.3 billion USD in actual and attempted losses and involved more than 40,000 domestic and international incidents, according to the FBI’s Internet Crime Complaint Center (IC3).
Figure 1 – Statistics from the FBI’s Internet Crime Compliant Center (IC3)
The FBI report says that BEC/EAC scams have evolved to sometimes not involve money at all. Instead, thieves use the same compromising email techniques to attempt to steal employees’ personally identifiable information (PPI) or wage and tax (W-2) forms.
No company is immune – no matter how large or tech savvy
BEC scams involve businesses that work with foreign suppliers and/or that regularly process wire transfers, and EAC threats target individuals who make wire transfer payments. The IC3 began tracking them as one crime this May because of their increasing similarities.
With scams targeting businesses, no company is off limits, including tech giants Google and Facebook who were tricked out of wiring $100 million in 2013 to a criminal impersonating a legitimate computer hardware supplier.
Threat actors have even targeted PhishMe, an authority in cybersecurity, proving once again that no company is safe.
When business email compromise criminals first targeted PhishMe, they impersonated PhishMe CEO Rohyt Belani in an email sent to PhishMe Vice President of Finance Sam Hahn. The following screenshot shows how clever scammers tried to open the door to extort money from us.
Because Sam (and all our employees) participates in the PhishMe simulation program, he knew how to identify this email as a phishing threat. The key to thwarting this attack was simple – conditioning to look for and recognize the signs of phishing. In this case, it was the signature that gave it away. Rohyt does not use an iPhone.
10 tips to protect your company from BEC and CEO Fraud threats
Business email fraud scammers are crafty. But there are several steps you can take to protect your company against BEC/EAC attacks:
- Establish a DMARC record on your company domain name so that emails spoofing your real domain do not get delivered.
- Enable two-factor authentication on your email accounts to prevent an attacker from hacking into your accounts and using them to send bogus messages.
- Minimize the number of people authorized to process and approve company wire transfers and check payments.
- Make a list available to employees with the names of those authorized to approve and process all company payments.
- Verify (with at least two people) requests for new or different payment processes or requests for secure information.
- Create a limit to the amount of money your company can withdraw from your company bank, so your bank can hold and verify requests that go above the threshold.
- Be aware that hackers who impersonate executives often send imposter emails when they know (through social media, usually) that real executives are traveling on business.
- Require dual authentication and approval of all payment requests and phone verifications, such as these:
- Have the person requesting the payment call you from a predetermined phone number to verify the request.
- Call the person requesting the payment using a legitimate phone number (not from an email) and ask for a predetermined code to verify the person’s identity.
- Send the person requesting the payment a one-time code through a previously- verified phone number to confirm the payment request.
- Adopt a comprehensive anti-phishing program that empowers all your employees to act as the first line of defense against BEC scams. At the least, it should include:
- A phishing simulation program – a scheduled process of periodically sending fake BEC emails to employees so they can become conditioned to what phishing messages look like.
- A reporting tool that allows employees to practice reporting phishing threats to your company’s IT incident response team.
- Identify specific, real-world phishing scenarios that your organization receives on a regular basis. And, if your company already uses a phishing simulation program, add them into your phishing simulation rotation.
Learn from PhishMe’s experience with BEC scams
No company is immune to BEC threats – regardless of size or industry. To learn more about how PhishMe shut down several business email fraud scams, read our report, “Business Email Fraud Scams: What They Are and How to Shut Them Down.”
See our other blogs on BEC –