According to a recent cybercrime report from the FBI’s Internet Crime Complaint Center (IC3), fake payment emails accounted for more than $1.8 billion dollars of loss from unsuspecting victims worldwide. These fake payment emails are referred to as Business Email Compromise (BEC) and look and feel a lot like phishing emails.
BEC results in one of the largest cybercrime-related monetary losses for New Zealand businesses and it has grown by 101% in 2020 – it’s everywhere, it’s growing, but with increased awareness, it can be prevented.
BEC results in one of the largest cybercrime-related monetary losses for New Zealand businesses and it has grown by 101% in 2020 – it’s everywhere, it’s growing, but with increased awareness, it can be prevented.
But what exactly is a Business Email Compromise?
A Business Email Compromise tricks an unsuspecting executive or employee into making payments to fraudulent accounts. A criminal will need to make the BEC email seem as legitimate as possible with the objective of receiving money disguised as an authorized business transaction. To make the BEC email seem genuine, it will appear to be from someone the executive or employee trusts – someone internal to the business or a supplier.
Let’s look at the many moving parts of Business Email Compromise.
This type of cybercrime is increasingly difficult to protect against and involves deception, trust, and an unsuspecting victim in the business with the ability to influence or make payments.
First: Reconnaissance Phase
In the Reconnaissance Phase, criminals will research the business, employees, and suppliers. They are looking for unsuspecting victims in the business with the ability to influence or make payments.
Scoping the corporate websites, LinkedIn, and other social media pages, they build a profile of the business and employees in targeted functions or roles.
Second: Preparation Phase
In the Preparation Phase, the criminals will try to make their emails seem as genuine as possible which means that they can go as far as purchasing lookalike business domains where they can set up email accounts that look very similar to corporate email accounts.
They might target [email protected] and create an account for [email protected]
Third: Delivery Phase
The emails are crafted and delivered to unsuspecting executives or employees using techniques that are similar to phishing emails – praying on fear and urgency to make payments as quickly as possible. The less time the victim thinks about the email, the more successful the attack can be. The emails can include fake invoices, email trails, and other seemingly legitimate artifacts.
Fourth: Payment Phase
Once the BEC email-lead payments are made, the criminals can transfer the money to multiple accounts locally and globally to make it difficult for local authorities to trace and recover.
How can you protect your business against Business Email Compromise?
- Focus on an effective security awareness program to educate employees on good security practices.
- Make everyone in the business aware of seemingly genuine but unsolicited e-mails requesting money transfers with a tone to act quickly.
- Your IT department may be able to label/flag incoming emails from accounts that are similar to employee names.
- Consider a two-step verification process for payment approvals. Contact the source through another means of communication to confirm the request is legitimate.
- Ask your employees to limit the business’ exposure on social media and other company websites, and limit the number of names, positions, and other information you share on your corporate websites.
- Cert NZ also advises businesses to keep software up to date, deploy strong passwords, and adopt antivirus software to combat the threat of BEC and other related frauds.
