Business Email Compromise Increases, $26B in annual losses, per FBI
The FBI, on September 10, 2019, issued a public service announcement regarding Business Email Compromise (BEC) threats. BEC is a sophisticated scam that targets government agencies, businesses, and individuals. Most commonly, the scam targets those who perform legitimate transfer-of-funds requests… individuals in finance/fiscal/accounting departments. These threats typically involve a criminal who compromises a legitimate business or personal email account and uses that account to request another person to transfer funds or take some other action.
The email often comes from what looks like a trusted source…
- a co-worker
- a legitimate vendor
… requesting that an urgent payment be made, gift card purchase made, or that a bank account number for wire transfers and/or ACH transactions be changed.
While Security Awareness Training has helped more and more end users identify phishing emails, malicious links, and malicious attachments, BEC is harder to detect because emails come from the sender’s legitimate email account.
According to the FBI, BEC continues to grow and evolve, and targets everyone – state and local government agencies; small, medium, and large businesses; and personal transactions. Between May 2018 and July 2019, reported losses doubled. In the 12 months ending July 2019, reported dollar losses (worldwide) swelled to $26B.
An increasing number of complaints involve payroll diversion. This typically begins when a company’s HR or payroll department receives a spoofed email appearing to be from an employee requesting a change to their direct deposit account. The criminals typically gain access to employee email accounts from phishing attacks which direct them to a spoofed email login page. The FBI reports an average dollar loss per complaint of $7904.
The FBI recommends that employees be trained regarding both preventative and reactive measures, which include:
- Use secondary channels (e.g. a phone call) to verify requests for payments and/or changes in account information
- Ensure the URL in emails is associated with the business it claims to be from
- Be alert to hyperlinks that may contain misspellings of the actual domain name
- Refrain from supplying login credentials or PII in response to any emails
- Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits
- Perform software updates on all operating systems and software
- Ensure that security awareness training stresses that employees should practice security techniques with email programs on their mobile devices, for example, to verify the email address of the sender and/or how to inspect URLs. Additional training may be needed.
- Adjust settings on employee computers so that they see the full file extensions on any attachments
Click HERE to download a poster with reminders of the FBI’s helpful suggestions for avoiding a BEC scam!
Security Awareness Training
Employee training is not a once-and-done event. Eagle Consulting offers award-winning Security Awareness Training programs which engage employees with short, engaging, and regular content, combined with regular, simulated phishing attacks. Security Awareness Training can help reduce multiple risks, including loss of funds through BEC, compromise of PHI, and damage to reputation.