By: Ryan Gregory, CFE
The Better Business Bureau (BBB) International Investigations Initiative released a report titled “Is That Email Really From ‘The Boss’? The Explosion of Business Email Compromise (BEC) Scams” this past September detailing the staggering losses that U.S. and Canadian companies have experienced due to compromised business email.
As summarized in the study, the reported losses (there are many unreported cases, per this report) show that U.S. company losses are in the billions while Canadian companies are in the tens of millions in losses. There is also a note about several Australian companies going out of business due to freight forwarding scams (a type of BEC fraud).
The study highlights recent arrests made, how BEC scams are perpetrated and how companies can report to law enforcement. The study also emphasizes the need for further verification when payments are requested and emphasizes the importance of employee training to recognize these types of schemes.
In order to protect yourself and your company from a BEC attack, you should stay up to date on different tactics and techniques used by fraudsters. Here are a few key pieces of information included in the BBB report that you should know about BEC scams.
- Falling for the first email: BEC attacks are 10 times more likely to produce a victim if the target answers an initial probe email.
- Common words and phrases: It helps to know the type of language that fraudsters will use to increase urgency and make their email sound more official. Here are some words and phrases to look out for: “request” (36%), “follow up” (14%),“urgent” or “important” (12%), and “are you available?” or “are you at your desk?” (10%).
- The effectiveness of training: Before training, employees are 30% likely to click on a malicious link contained within a BEC email. After training, only 2% are likely to click on a link.
- Lead generation use: It was found that some fraudsters used lead generation services and even signed up for free trails to obtain company and employee information, including names, email addresses and job titles. With these types of services, this information did not come from a breach nor had it been stolen. Rather, it was offered through other companies as a business service.
- Cyber insurance: This report showed that while few insurance companies cover social engineering, the organizations that do have this coverage available have opted out.
- Detection: It was noted that programs that are setup to detect spam email and phishing attempts are monitoring for computers that send large volumes of email and may not detect BEC attempts, as they are specifically targeted and are not usually sent out in large volumes. BEC emails often slip through the cracks because they are well-crafted and specific to the recipient.
- Email domains: This study noted that a security company found domains well into the millions that were very similar to those of real companies. Setting up these domains was very simple and not expensive to create. Always closely study the domain name of an unexpected email, especially when the sender is asking for money or requesting you to take a specific action like opening a file or clicking on a link.
A review of email security settings, additional monitoring layering and accounts payable procedures can go a long way in deterring a BEC attack by those attempting to divert company funds. As the anti-fraud expert in your organization, you’ve got a huge responsibility to ensure that each person — from the new hire to the CEO — understands the potentially devastating effects of a BEC scam. Education truly is the key.
It could be the difference between moving an email to the junk folder and losing thousands of dollars.