Business Email Compromise
How does the fraud happen?
Business Email Compromise (BEC) are emails that appear to come from senior people, such as the CEO or Finance Director, within the business, requesting urgent payment to be made. Fraudsters will usually have done their homework by researching the name and position of executives within the business, as well as spoofing the email header.
Company executives are not solely at risk. Fraudsters often pretend to be clients, employees and supply chain partners, using various tactics to compromise victims’ email accounts, gaining access to legitimate mailboxes.
Some of these attacks can be highly sophisticated, such as a password spray, an attack that attempts to access many accounts (usernames) with a few commonly used passwords, or the use of malware (viruses, trojans), and phishing where attackers send an email with a link to a fake website that’s designed to steal credentials.
Successful attacks allow fraudsters to intercept emails between two parties by accessing the firms account or impersonating a client or other firm. For example, raising a bogus invoice which if paid, the money goes straight to the fraudsters’ bank account.
Other email compromise attacks have led to fraudsters intercepting email chains such as those relating to the proceeds of sales funds, sending emails which advise of new beneficiary account details that look to come from the genuine sender. This has resulted in the sale proceeds being sent to incorrect account details that don’t belong to the genuine client.
Regardless of the tactic, the goal is for the attacker to access your email and become you.
What to look out for:
- Fraudsters often try to elicit an emotional response from their targets. Commonly spoofing the identity of an executive within their target’s organisation, these messages rely on the targeted employee’s desire to help their boss or a company executive.
- Urgent requests which come at the end of the workday and week, putting pressure on targeted employees to finish requests before the end of business hours.
- It isn’t always payment requests; it can be a request to change bank account details or asking for a payment to be made to a specific account.
- Be wary of any unusual requests from senior people asking you to purchase store gift cards over email as it could be a scam.
Protect yourself and your business from Business Email Compromise
- Be vigilant, check and challenge these types of requests, even if they are from someone senior.
- Contact the sender independently to verify if the request is genuinely from them; don’t use the contact details in the request.
- Have a specific documented process for the arrangement of payments. Any requests outside of this process, particularly if they are by email, should be treated as suspicious until verified with the individual directly.
- Train your employees how to recognise suspicious emails and what to do with one if they receive one.
- Strengthen passwords for access to email accounts avoid common phrases and using the same password for everything. A good way to create a strong and memorable password is to use three random words and replacing some letters with numbers and symbols, for example, 42Greenwh@leOcean!
- When creating your out-of-office messages, share as few details as possible, and avoid publishing direct business phone numbers, names, titles and email addresses for other members of your organisation. Avoid using definite dates of your absence, since this information could be used by a cyber-attacker trying to steal information from your company.
- Ensure all staff are aware of this type of fraud and to remain vigilant, including the senior directors and CEO. Make sure staff feel able to approach senior people to verify if a request is genuine.
- If you are a Bankline user, control which employees can make payments by reviewing and maintaining user roles and privileges including setting payment limits.
- Never send details of a change of bank account to your clients by email.
Always think twice and make double checking second nature
Take Five to stop fraud
Take Five is a national campaign that offers straight-forward and impartial advice to help everyone protect themselves from preventable financial fraud. This includes email deception and phone-based scams as well as online fraud – particularly where criminals impersonate trusted organisations.