Business Email Compromise is Eroding Trust and Costing Millions
Category
Awareness, Social Engineering
Risk Level
Imagine this: it’s 4:55 on Friday and you’re ready for the weekend. You and your boss have been emailing back and forth all day about paying out a vendor this week. Right before you start to pack up, your boss send you one more email:
“Received an update from the vendor - can you wire the money for the payment to this new account number instead?”
You’re about to head out, and your boss just replied to the last email you sent them. Can’t be a phishing email right? So you update the number, shut down your computer, and head home.
Monday arrives, and the accounting department from the other company is on the phone asking about the payment. Your accounting team is showing it paid, but the other company never received the funds. Turns out, you were the latest victim to a business email compromise.
“What’s that?”
Business email compromise, or BEC for short, is a highly effective scheme by scammers and hackers that has stolen billions of dollars from companies. In 2019 alone, the FBI noted in their 2019 Internet Crime Report that over $1.7 billion dollars were stolen as the result of BEC. This number, along with the number of complaints, has alarmingly increased over the past six years. This is great for hackers and scammers, and bad for organizations and you.
“Ok, so how does that happen”
There are two main ways hackers and scammers launch a BEC:
They “spoof” the email address of someone in your organization, or another company. Spoofing is when a scammer impersonates the email address of someone else. So even though the email shows up as being from “yourboss@yourorganization.com”, it’s actually from “superhacker2020@email.ru”. The scammer can also slightly change the email address to look like a real one, like “yourboss@youronganization.com”. These are two common tricks in phishing emails.
Your boss’s email, or the email of a vendor, was actually hacked. Things like a weak password, a re-used password, a phishing email - where the hacker stole your boss’s email password, or lack of multi-factor authentication could all lead to a hacker getting into your boss’s email. They may email directly from their email, called Email Account Compromise (EAC), or download a copy of all of their messages - often using them as part of their “spoofed” emails from number one above.
Once they have the right moment, hackers and scammers will pounce. This may be because they hear about a major deal closing in the news, or are monitoring your boss’s inbox for the right moment. They’ll then craft a convincing email with instructions on what to do.
“But what are they trying to get with the email?”
There are a number of different things hackers or scammers may be trying to get. They include, but are not limited to:
Money via wire transfer - could be related to an invoice payment, direct deposit request, or a large acquisition like a real estate deal
Gift cards - like from Google or Apple
W-2 information on employees - to be used for identity theft
Proprietary information - like trade secrets, or the recipe to Coca-Cola
If the email sounds convincing, or catches you off guard (maybe while you’re working remote or are about to leave for the weekend), you may get caught. And if you just cost the organization millions of dollars, or jeopardized its future, you may have also just cost yourself your job.
The FBI has outlined this timeline in detail on their website:
Source: Federal Bureau of Investigation
“That’s not great. So how do I not fall for it?”
In short: if something seems off - validate it. Don’t send an email back to your boss or the vendor asking if the request is real. Pick up the phone, or contact them through another method. And whatever you do, don’t call any number listed in the email. Due diligence could save you your job.
If you’re an executive and an employee contacts you about the legitimacy of a request, thank them - don’t scold them. Bad organizational culture can make employees afraid to speak up. In this case, they wanted to protect the organization from harm, so thank them for potentially saving you millions of dollars and your hard earned reputation.
“Say this may have just happened to me…”
Don’t panic. If the BEC was about stealing money, immediately notify your boss and have them contact your financial institution. They may be able to recall the funds.
In addition, contact the FBI through their Internet Crime Complaint Center (IC3). Every complaint filed through the website is investigated by a real human. The FBI has increased their capacity to handle requests through this site, and handled 467,361 complaints in 2019 alone.
Also, save any emails you may have received about the request. These can help law enforcement track down the hackers, scammers, or even the lost money.
“What else can I do?”
Train your people. It’s important to keep up to date on the latest BEC scams and how to recognize them, while developing a plan to stop them. Hive Systems offers our Approachable Cybersecurity Awareness Training that helps your team stay ahead of hackers and scammers. Don’t wait until it’s too late.
Follow us - stay ahead.
Read more of the ACT
It's the 2024 update to our Hive Systems Password Table - including using a new “most-hacked” password hash. See why our Password Table has been shown and written about on the news, published by universities, and shared by companies across the globe. Learn more and download your copy!