Business Email Compromise – Don’t Become a Victim
Business Email Compromise (BEC) is a growing form of cyber-crime. Criminals will use email to impersonate someone else, tricking employees into transferring money or sensitive information. A recent study by TD Bank found that 20% of the companies hit with by a cyberattack or fraud in the last year were victims of a BEC.
BEC attacks are sophisticated and highly focussed. Rather than relying on malware, the crime often employs social engineering techniques to manipulate employees. The scammer may scrape compromised email inboxes, study recent company news, and research employees on social media sites to make these emails look as convincing as possible.
As an example, The Brick Warehouse was hit with a BEC scam in 2010 when a scammer claiming to be from Toshiba sent an email to Brick’s accounts payable (AP) department. The scammer told Brick’s AP department that Toshiba’s bank information had changed and advised the AP department to begin making payments to a new account. Brick did not confirm that the new banking information was a legitimate Toshiba account and sent $338,000 via wire to the fraudulent account.
Brick was able to recover some of the transferred funds but suffered a net loss of over $224,000. Cyber insurance coverage was denied by Brick’s insurer because the payment instructions to the bank were issued by the insured with its employee’s consent and not by the third-party fraudster.
How to avoid becoming a BEC victim
Perpetrators are using increasingly sophisticated methods to deceive businesses. The following tips will help you avoid being victimized:
- Ensure staff are aware that email addresses of company officers can be compromised or spoofed
- Educate staff to be suspicious of emails requesting urgent wire transfers or changes to vendor banking information
- Always double-check before sending money or data. Any email request for wire transfers, for sensitive information or for changes in banking information should be confirmed either through a phone call or in-person
- Require at least two authorizations from two different personnel for fund transfers
- Control changes to the vendor database. Permit changes to be made only by authorized individuals, and only upon receiving appropriate management approval. Vendor database activity should be reviewed by management on a regular basis. Any vendors that are no longer used, and any duplicate entries, should be removed
- Additional tips to prevent BEC can be found in our blog, Ten Keys to Reducing A/P Error and Fraud
If you would like to find out more about how you can reduce business risk, or you need help improving operating efficiency, reducing costs and strengthening your organization, please contact me at 613-727-1230 ext. 212 or firstname.lastname@example.org
Richard MacNeill, FCPA, FCMA, CMC, Dipl. T. is a partner at OTUS Group, a team of advisors to business, government and not-for-profit organizations.