Don't let your company become the latest victim of what the FBI calls “the 12 Billion Dollar Scam” — Business Email Compromise (BEC). In these sophisticated schemes, criminals compromise and use email accounts to get a company’s employees or vendors to transfer funds or provide Personally Identifiable Information, such as Wage and Tax Statement (W-2) forms for employees.
For many victimized companies, the scam goes something like this: An employee receives a frantic email from their boss, who is, let's say, just about to board a plane. The boss asks the employee to immediately transfer a large sum of money into an account for a deal they just closed with a longtime partner. The employee recognizes the boss’s email address and the partner (with whom a real deal was in the works), so they send the money off as instructed. Except, of course, it actually goes into the hands of criminals.
In the past five years, more than 78,000 cases of BEC have been reported around the world, resulting in an exposed dollar loss of $12.5 billion. The problem is only getting worse. Between December 2016 and May 2018, the identified global exposed losses from BEC jumped 136%. The scam has been reported in all 50 states and in 150 countries. Large companies have acknowledged losing $100 million in BEC schemes. No one is immune — victims also include small and medium companies, as well as individuals.
The ongoing battle
Modern BEC scams are more sophisticated than the get-rich-quick email scams we're all familiar with. After criminals gain access to an email account, they’ll often wait patiently for an email that identifies a financial deal, such as the purchase of a piece of art or an escrow payment, and will attempt to re-route the money.
The amount of valuable information in emails that criminals can exploit can be surprising. Information about business partner relationships, ongoing wire transactions and business acquisitions can provide a goldmine of information for criminals to exploit.
Over the past year or two, the tactics and social engineering element of BEC attacks have become increasingly advanced. A criminal will fabricate a long email string between a company executive and a vendor that is designed to look as if the conversation has gone on for weeks. Because these crafty and meticulous schemes look authentic, they can fool even the most discerning people.
Watch for attempts to pressure you.
In the real estate industry alone, the FBI has noted an 1100% rise in the number of reported BEC victims, including title companies, law firms, real estate agents, buyers and sellers. Often, the recipient of a fake email will be asked to change the payment instructions to divert the funds to a fraudulent account. Usually, the funds are immediately depleted or sent to another account, making recovery difficult.
BEC fraudsters often try to trick people into acting quickly. A message from a purported boss will tell an assistant he needs a wire transfer done immediately before a pressing meeting. A criminal pretending to be a company lawyer handling a time-sensitive issue will send an email at the end of the workday or week, putting even more pressure on the recipient to act hastily.
Organizations with a concrete hierarchy are often more susceptible to fraud, since criminals count on the degrees of separation to cause junior employees to carry out email orders from higher-ups without verbal validation. In flat organizations, employees are more likely to go around the corner or pick up the phone to validate information or requests.
Protect yourself against BEC scams.
With the rapid increase and potentially devastating consequences of BEC, companies and individuals should take steps to ward off such schemes.
Institute an internal security training program.
Having a comprehensive anti-phishing training program can address the weakest link in the chain — making sure employees are not easily fooled. You can have a million security controls, but they can be circumvented by one person being tricked.
Choose the right vendors.
It’s important to select email vendors that provide services to block malware and email imposters prior to delivery.
Tighten access to email accounts.
An effective way to deter BEC is to use two-factor authentication (sometimes called multi-factor authentication) to protect your email account. In general, there are three ways to authenticate an account: something you know (for example, a password), something you are (for example, a retina scan or thumbprint), or something you have (for example, a hard token). If you use more than one of these authentications, thieves will have a much harder time gaining control of your account.
Beware of communications that are exclusively email-based.
By requiring mandatory verbal confirmation for payments or administrative changes to things like phone numbers and email addresses, you can dramatically decrease the chance of becoming a victim of BEC. In addition, the number of people who are authorized to approve wire transfers and money movements should be limited.
If you do get caught by a BEC scam, it’s critical to take fast action. Immediately contact your financial institution and request that the funds be recalled. Next, report the incident to your local FBI office, which may be able to assist in the recovery efforts.
Here's how First Republic can help.
First Republic, which has long maintained a strong, organization-wide commitment to security, can assist in your defense against BEC in two important ways:
Internet Security Health Checks
A First Republic Information Security Specialist will personally visit your office or home and provide a complimentary security assessment of machines used for online banking with First Republic.
On-Site Security Awareness Training
A First Republic Cybersecurity Representative can also conduct on-site security awareness training for your organization, alerting them of the most recent tactics that criminals are using to help them avoid being pulled into a sophisticated BEC scam.
To receive information about these services, or if you have any questions or concerns about cybersecurity, please contact First Republic's Information Security Team.