2016, the FBI released a public service announcement warning that “business
email compromise (BEC) scams have increased by 1,300% since 2015 and have cost
businesses more than $3 billion. Making it a significant threat that businesses
should be aware of to reduce the likelihood of becoming a victim.
What is BEC?
BEC is a
sophisticated scam that targets both small and large businesses that regularly perform
wire transfers and/or work with foreign suppliers. Fraudsters will send
employees compromising emails pretending to be senior executives with urgent
requests seeking sensitive information or requesting unauthorized transfers of
Five Scenarios of BEC:
working with a foreign supplier
executive receiving or requesting a wire transfer
contacts receiving fraudulent correspondence through compromised e-mail
executive and attorney impersonation
Common Characteristics of BEC:
target individuals responsible for handling wire transfers the organization
use of free domain registrars such as Gmail or Yahoo
emails mimic legitimate email request
of a high-level executive
uses of the phrases “code to admin expenses” or “urgent wire transfer”
that do not contain URLs, phone numbers, or attachments
Best Practices to Protect Your Organization
from a BEC Attack:
should increase their awareness and understanding of BEC fraud among employees,
so their organizations are less likely to become victims. The following is a
list of self-protection best practices and strategies:
a company domain name and utilize it for e-mail accounts instead of free,
cautious in regards to what is posted on social media and company websites,
specifically information regarding job duties/descriptions, hierarchal
information, and out of office details.
additional security procedures, such as implementing a 2-step verification
process. For example:
other communication channels, such as telephone calls, to verify important
both entities to utilize digital signatures.
and delete any spam from unknown parties.
NOT open spam e-mail or click on any links or attachments.
of any suspicious requests or abrupt changes in business practices.
company domains that may be just a little different than the actual company’s
changes in vendor payment location by implementing a two-factor authentication such
as requiring a secondary sign-off.
review all e-mail requests for transfers of funds to determine if the requests legitimate.
additional information visit: www.justice.gov publication “Best Practices for
Victim Response and Reporting of Cyber Incidents”.