Business Email Compromise: What It Looks Like and How to Avoid It
By Robert Casey, partner
Most people immediately recognize a scam when they get an email from a prince with promises to pay them a hefty sum of money for assistance in transferring money to the U.S. But what if you were the controller at a corporation and your CFO or CEO requested, via email, that you wire money to a certain bank account? Would you question the transaction before completing it? Does your corporate bank wire policy allow you to complete the request? The FBI has reported a 270 percent increase in exposed losses due to this type of scam since January 2015.
How the Scam Works
Phishing involves using emails or phone calls to trick users into giving sensitive information, downloading malware or even sending money. Generally the messages come from what appears to be a legitimate enterprise. When those attacks are directed at a specific individual, it’s called spear phishing, or, if the individual is a high-level executive, whaling.
One of the newest forms of phishing, business email compromise requires the scammers to do research through social media, press releases and even the target’s own website. They get the contact information for the C-level executives and use that information to create the deception.
In the simpler version of the scam, the phisher spoofs the email of a high-level executive. The recipient (in this example, the controller) gets an email from who he thinks is the CEO. The email address is changed slightly, and the controller does not realize it is not from the CEO. For example, if the CEO’s email is firstname.lastname@example.org, the spoof email might be email@example.com. Often the variation is so slight that unless the recipient is paying close attention, he may not recognize it. The recipient gets an email that says something such as, “Please wire $32,000 to the account number below immediately. Please code to miscellaneous expense and send me a confirmation when complete.” Often a sense of urgency combined with a desire to please the CEO gets the controller to act without considering if the request makes any sense.
In more advanced schemes, the scammer hacks the CEO’s actual email address to send the email.
How to Protect Your Company
Check with your email security provider and determine if their programs prevent these types of attacks. Ensure your security systems are updated frequently, as variations of these scams are constantly evolving. Test the systems to ensure they are appropriately filtering the attacks.
Next, re-evaluate your wire policy to require both written and verbal communication before the wire is sent. In the example above, if the controller had called to confirm the request with the CEO via voicemail or text to the CEO’s cell, the scam would have been thwarted. Require multiple approvals on international wire requests, and test the controls to ensure they are operating effectively.
Finally, you should provide training and education to employees, especially employees with access to bank information. Make sure that employees know they shouldn’t click on random links or downloads. Have them pay attention to the content of emails, as scammers are often from foreign countries and misspelled words are common. Also advise them to be on the lookout for terminology not normally used by the sender, such as “kindly” or “I beg.”
What to Do if You are a Victim
Contact your financial institution immediately and explain the situation. In many cases, the funds can be recovered if caught quickly. Contact the FBI, which may be able to assist in freezing funds, and file a complaint with the FBI’s Internet Crime Complaint Center.
Business email compromise scams represent a growing threat to businesses around the world. By following these best practices, you can help your company avoid falling victim to this form of phishing.