Do you conduct wire transfers as part of your day-to-day business, particularly with respect to overseas vendors? If you answered, “Yes”,  you will be a primary target for those who are involved in business email scams, and even more so if your dealings with companies abroad is publicized. These scams will target everyone from high-level executives to corporate headhunters.

Common Tactics Used in Business Email Scams

When people think about email scams, they tend to think about those that target individuals. Examples include receiving an inheritance from a trust in Nigeria or getting a plea to help a friend raise money to get out of prison. Some of these are surprisingly well-written emails that entrap even the most careful of individuals. What people forget is that there are a number of business email scams circulating around as well.

These can become quite dangerous because of the large amounts of money that can change hands almost anonymously with just a few clicks of the keyboard. This is why it is important that businesses understand the nature of these email scams, how to identify them, and how to avoid becoming a victim of them in the future.

What is Business Email Compromise

In short, Business Email Compromise, or BEC, is a type of scam which targets companies who are known to conduct wire transfers or have supplies either transferred or delivered abroad. Any publicly released email accounts associated with your business dealings will be used as leverage in BEC scams.

Certain companies who conduct business overseas can be targeted for their ability to send financial wire transfers to suppliers abroad. They are susceptible to such email scams commonly referred to as Business Email Compromise.

This also happens when the email account of a corporate executive or high-level manager becomes compromised. This can result in the receipt of an email that looks like it is from a legitimate business entity, only it is not. Because the individual who supposedly sent the email is so trustworthy within the structure of the organization, those in the company with the authority to send large dollar amounts of wire transfers may end up sending them to a fraudulent account. These types of vicious attacks are growing in number around the world, so it is important that companies be alerted to these business email scams.

Every year, losses due to BEC attacks rise. With the levels of security improving, why is this the case? Simple. They don’t breach security. Instead, unaware employees open the door for them to steal the information.

Who Does This?

In the most simple form, the short answer is criminals. However, a better understanding of how these masterminds work may help your business in the future. Those who generate phishing scams are usually the guilty party. They were formerly known as “man in the email”.

BEC attackers usually rely heavily on social tactics to trick unsuspecting employees. They do careful research about the CEO’s so that they are able to answer any questions, and answer them correctly in a timely manner if need be. They also monitor the employee or victim before they target them specifically.

How Do They Get In?

Anyone who conducts business online by making overseas payments can be hacked.

Hackers typically pretend to be a CEO from an overseas company that your company publicly does business with. They use mass amounts of public information and compile it so that it seems only logical that they must be working from the inside.

From this point, they basically get into your account and steal your information. They will then send you an email pretending to be your regular vendor or purchaser, posing some problem or glitch and requesting funds in order to complete a transaction that falls in line with your normal company’s day-to-day activity, or otherwise stated nothing out of the norm. Those who commit this kind of fraud do their research. They know what companies, and which employees within that company are the most vulnerable and why.

Typically, the attackers have done enough research on the other parties that surround your company, that they are able to take on the personality of the person they are pretending to be, as well. So, if they’re emailing from an address strikingly similar to Tom’s, they are going to sound a lot like Tom, respond like Tom, and even play off a refusal how Tom would.  

Five Types of BEC Scams

Bogus Invoice

Typically companies that deal with foreign suppliers are often targeted by this. The emailer pretends to be the supplier. They send an invoice requesting funds for something the company would typically pay for. The money goes into an account controlled by the scammer instead of the actual supplier. This can happen over and over until the company becomes aware of the activity.

Again, they use language barriers as a way to ease their foot in the door and have done enough research on your business partner, that they can easily play the part well enough to fool the employee of their choosing.

CEO Fraud

Here, the scammer simply pretends to be the head of the company or CEO. They may give details about an upcoming project, one that could actually be real for your company, and have you transfer money into a separate account to a certain purpose.

The scammer’s email will look similar to your CEO’s and more than likely, because most of your CEO’s private information is actually public, they will have a wealth of knowledge to use to their advantage. You have been scammed once they get the money wired.

Account Compromise

This is where an employee account is compromised. The scammers hack an employee email and look over your list of people the company typically does business with, especially with respect to finance and other similar departments.

The hacker will then send an email requesting payment, acting as the vendor for said company. The invoice could have already been paid, but these hackers make the “invoice” look convincing. The employee then sends the money to the account via an email. Where, again, the money goes into the phished account.

The Attorney-Client Privilege

Here, the attacker pretends to be an attorney. The person attacking you will send an email titled “urgent.” They usually do that at the end of the day, so that if by some chance you do pick up the phone and call your lawyer, they won’t answer. They pretend to be your business lawyer expressing a desire to discuss an important matter. The headline may include words, such as “confidential”, “urgent”, or “crucial”.

The Data Theft

CEOs are not the target this time around. In this case, scammers target lower-level employees who work in HR. The goal is to steal personal data from the people who work at the company. The person will seek to steal tax information and other information. They might not use it right away, but they will use in the future. Your HR department might get a weird outside call or email asking for information on specific people. Proceed with caution on anything you feel is not quite right.

Those five scams generate attacks outside normal behavior. That is why your company should have training for every department on how to prevent these types of things. No department is immune when it comes to business email scams. Being aware of these each of these types of emails scams will help protect your company in the long run. It is important to understand the nature of these fraudulent emails in order to be able to avoid falling victim to them.

The Art of Deception in BEC Scams

The people who participate in these scams are sophisticated and intelligent. These emails are not coming from someone who hasn’t done extensive research. That is what makes this type of computer scamming so complex. They make their email scams so convincing that you actually believe they are the person you wire money to every month. These criminals will create letterheads, false balance sheets, fake invoices, and the list goes on. Just because a document looks authentic, doesn’t always mean that it is.

You might think that you can never become a victim of these types of email scams, but keep in mind that criminal organizations are extremely adept at the art of deception. This is why you need to be able to spot these possible deceptions in order to avoid falling victim to these business email scams in the future. Consider the following as a guide to help you.

  • Spoofing – This involves using a slight variation of a legitimate email address or Internet address that you might be familiar with.
  • Spear Phishing – This involves receiving a bogus email that is believed to have been sent by someone within the organization that you trust.
  • Malware – This is malicious software that criminals place on internal servers in an attempt to gain access to confidential information that will lead to financial data being leaked in the process.  

 

Outline of Tools Used

Hackers are known to use a combination of several simple, yet effective tactics.

What makes these people so good is they use a legitimate account that has only a small difference.

“John.Kelly@dbc.org versus JohnKelly@dnc.org.”

Do you see the difference?

They will go phishing by way of sending a fraud email to you from a trusted person you do business with. They will also use your malware protection against you. They will send a legitimate email asking you to open a link. A virus is unleashed as soon as you open it.

Another common tactic is making one act as quickly as possible. This is to avoid raising suspicion down the line.

It is important to know the tools that criminals use in these business email scams. That will help you to better be able to identify them if you are ever the intended target. Malware is especially important because this is something that you do not see. It is important to regularly inspect all computers and electronic devices that you use in order to make sure that there is nothing there that could cause you to inadvertently compromise data.

Don’t Be a Victim of BEC Scam

One of the best ways to avoid something like that is to call the person directly. The request might have gotten lost in your spam folder. Have the person send you another request to a different email account. That way you can verify that the wire transfer is legitimate. One person mentioned the idea of color-coated emails organized for better practice. It depends on how many emails you get at work every day. You might not be able to keep track.

You want to do everything that you can to avoid becoming a victim of a business email compromise scam. These types of emails scams are costing companies billions of dollars every year. As such, you need to incorporate certain best practices in order to position yourself to minimize this risk.

Avoiding BEC Scam Best Practices

You might also consider looking over the email requests more carefully. Do you notice anything out of the ordinary? It could be a scam. Here are six best practices that you can begin to immediately implement in order to avoid becoming a victim of these email scams.

  • Create an intrusion detection system that will flag any emails coming in that have similarities to company email addresses.
  • Develop an email rule that will flag any email replies that are directed to an address different than where it was sent from.
  • Color code your emails so you can separate internal from external email accounts.
  • Verify any changes in payment details directly with a vendor using a two-factor authentication system.
  • Confirm all transfer fund requests via telephone.
  • Double check all emails that request fund to make find out if anything appears out of the ordinary.

An experienced IT service company like Enterprise Computing Services can provide the necessary diagnostics and upgrades to seamlessly manage your IT services and help you avoid scams, like the one mentioned above. For tech support, you can email us at support@ecs-net.com or give us a call at 318-219-3427.