You’ve seen the headlines — Company sends $500,000 to Scammers. You may have thought — how could someone make that mistake? Don’t they have safeguards in place? Possibly, but these scammers are so sophisticated that sometimes it is hard to tell whether a request for payment is fraudulent.
Orlando IT Support professional, Nick Allo shares insights on how organizations can protect against email compromises.
Business Email Compromises
Business Email Compromise (BEC) is a sophisticated scam that targets businesses that perform wire transfers regularly. Most often, these schemes compromise legitimate business email accounts. The accounts are used to request bogus payments. In other words, BEC scammers pose as legitimate vendors to try to get companies to wire funds to their account. BEC attempts have steadily grown until they represent:
- $26 billion in exposed dollar losses, including both actual losses and attempted BEC fraud.
- An accumulated actual loss as a result of BEC scams exceeds $12 billion.
- A monthly loss of about $301 million
These email compromises happen daily. You and your employees need to be able to recognize them before the money is lost.
How Does BEC Work?
First, scammers compromise email accounts through spoofing or hacking. The compromised accounts usually belonged to CEOs or CFOs of a company. Today, these scams will compromise vendor, legal or real estate accounts. — any company that pays or is paid by wire transfer. BEC attacks are elaborate. They aren’t just an email requesting payment. Most of them include what appears to be supporting documentation for the payment request.
About two years ago, “a multinational technology company” and “a multinational online social media company” transmitted more than $100 million to a scammer’s account. The compromise was sophisticated enough to include forged invoices, contracts, and letters that appeared to be legitimate. He even created false corporate stamps that were given to financial institutions to corroborate the large wire transfers.
More recently, Nikkei reported that an employee at a U.S. subsidiary transferred $29 million to a bogus account. The employee thought he was following instructions from a management executive.
The city of Ocala, Florida, reported another BEC attack. An accounting specialist received what appeared to be a legitimate invoice from Ausley Construction, an authorized city contractor. The specialist transferred $742,376 to the scammer’s account. It wasn’t until Ausley sent a valid invoice that the fraud was identified.
How to Prevent a BEC
Defending against BEC is complex. It is a multi-step process. In advance of the transfer of funds, scammers attempt to compromise an email account. Since these attempts may happen months before the actual fraud attempt, the compromise goes undetected. It’s only after the transfer is executed that the compromised email is found.
Don’t Rely on Email
Contact the parties involved and speak with them either by phone or in person. It may take a little more time, but it can save your company millions.
Check Email Addresses
In the Ocala incident, the fraudster added an S to the company’s legitimate web address. Instead of @ausleyconstruction.com, the scammer wrote @ ausleyconstructions.com. It’s a common fraud practice to make a slight change to an email address, which goes unnoticed. Obviously, you can’t scrutinize every email address, but you can check those attached to a financial transaction.
Question Unusual Requests
If someone makes an unusual request, check with others in your organization to make sure the request is legitimate. For example, don’t email documents that are usually sent by mail or courier. Those emailed documents could easily end up in a criminal’s hands.
Have questions regarding business email compromise?
Contact Nick Allo at SemTech IT Solutions at https://www.semtechIT.com
Disclaimer
The information contained in South Florida Reporter is for general information purposes only.
The South Florida Reporter assumes no responsibility for errors or omissions in the contents of the Service.
In no event shall the South Florida Reporter be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents of the Service at any time without prior notice.
The Company does not warrant that the Service is free of viruses or other harmful components