Business E-mail Compromise: How to Protect Your Organization

Business E-mail Compromise: How to Protect Your Organization

Published: July 24th, 2018

In 2016, the FBI released a public service announcement warning that “business email compromise (BEC) scams have increased by 1,300% since 2015 and have cost businesses more than $3 billion. Making it a significant threat that businesses should be aware of to reduce the likelihood of becoming a victim.

What is BEC?

BEC is a sophisticated scam that targets both small and large businesses that regularly perform wire transfers and/or work with foreign suppliers. Fraudsters will send employees compromising emails pretending to be senior executives with urgent requests seeking sensitive information or requesting unauthorized transfers of funds.

Five Scenarios of BEC:

  • Business working with a foreign supplier
  • High-level executive receiving or requesting a wire transfer
  • Business contacts receiving fraudulent correspondence through compromised e-mail
  • Business executive and attorney impersonation
  • Data theft

Common Characteristics of BEC:

  • Fraudsters target individuals responsible for handling wire transfers the organization
  • Frequent use of free domain registrars such as Gmail or Yahoo
  • Fraudulent emails mimic legitimate email request
  • Impersonation of a high-level executive
  • Common uses of the phrases “code to admin expenses” or “urgent wire transfer”
  • Emails that do not contain URLs, phone numbers, or attachments

Best Practices to Protect Your Organization from a BEC Attack:

Businesses should increase their awareness and understanding of BEC fraud among employees, so their organizations are less likely to become victims. The following is a list of self-protection best practices and strategies:

  • Establish a company domain name and utilize it for e-mail accounts instead of free, web-based accounts.
  • Be cautious in regards to what is posted on social media and company websites, specifically information regarding job duties/descriptions, hierarchal information, and out of office details.
  • Consider additional security procedures, such as implementing a 2-step verification process. For example:
    • Establish other communication channels, such as telephone calls, to verify important transactions.
    • Require both entities to utilize digital signatures. 
    • Report and delete any spam from unknown parties.
    • DO NOT open spam e-mail or click on any links or attachments.
  • Beware of any suspicious requests or abrupt changes in business practices.
  • Register company domains that may be just a little different than the actual company’s domain.
  • Verify changes in vendor payment location by implementing a two-factor authentication such as requiring a secondary sign-off.
  • Thoroughly review all e-mail requests for transfers of funds to determine if the requests legitimate.

For additional information visit: publication “Best Practices for Victim Response and Reporting of Cyber Incidents”.