According to the FBI, what type of fraud results in more losses to businesses, both large and small, than any other? A fraud that has cost businesses and other organizations more than $3 billion since 2016 and jumped 50% the first three months of 2019 compared to the same period in 2018?
Business Email Compromise fraud (BEC) is the answer, and its effects on businesses are skyrocketing. A recently released investigative study by Better Business Bureau — “Is That Email Really From ‘The Boss’? The Explosion of Business Email Compromise Scams” — digs into the alarming growth of BEC scams and the criminal tactics that perpetuate them.
BEC fraud is an email phishing campaign typically targeting people who pay the bills in business, government and other organizations. The classic BEC scam uses an email designed to look like it is from the boss (a CEO, owner or other higher up) mailed to the person that pays the bills. They often claim the matter is urgent, and the boss is in a meeting or out of the office. Con artists rely on the likelihood employees don’t want to bother the boss and will carry out the request without checking. It is found that untrained employees will open and take some type of action with one of these bogus phishing emails around 30% of the time!
There are three basic forms of BEC emails:
• They send an email from any email address but add the name of the real boss/person to the “from” line.
• They set up an email account address with a domain name very similar to a real company or organization.
• In some rarer cases, con artists gain access to the real person’s email account, gaining access to all the other email traffic of that person. It is more difficult to achieve but is more effective in committing a scam.
Con artists also know BEC attacks are 10 times more likely to produce a victim if the target answers an initial probe question email, such as “Are you at your desk to make a payment?” Though many are used, the top BEC subject lines broken down by frequency are:
• “request” 36%
• “follow up” 14%
• “urgent/important” 12%
• “Are you available?” or “Are you at your desk?” 10%
Another popular con artists’ tactic is to impersonate a vendor or contractor, emailing accounts payable bogus invoices with a notification that the vendor has changed bank accounts and asks that the payment of invoices be sent to a new account controlled by the fraudsters. This method of BEC has increased dramatically over the past few years, accounting for 39% of cases in 2018.
What can be done to protect organizations from BEC fraud? This is an IT problem, but tech solutions aren’t the total answer. It is vital employees learn how to recognize and avoid responding to BEC efforts.
• One simple, effective tool is to simply pick up the phone or walk down the hall to confirm the request. Senior executives need to develop a culture that encourages this.
• Multifactor Authentication, such as sending a text message with a code that must be entered to login.
• Have emails coming from outside the organization flagged with a warning such as, “This email comes from an external email address.”
• Verify any changes to vendor, customer or employee information by contacting them directly before changes are made.
The entire Better Business Bureau study can be found online at j.mp/2Q2BEap.
Cheryl Parson is president of the Better Business bureau serving West Central Ohio. The BBB may be found on the Internet at www.lima.bbb.org.