4 minute read
Reduce the Risk of Business Email Compromise
KEY TAKEAWAYS
• Organizations should ensure leadership and employees understand the threat of BEC and its financial consequences. • Organizations should educate employees on what to watch for, like idiosyncrasies and errors in communication. • Organizations should build workflows that ensure authentication protocols are never bypassed, even in the cases of urgency or leadership pressure. • Organizations should emphasize the importance of accuracy and verification measures over speed.
Justin Rainey serves as chief information security officer and chief privacy officer at UMB Financial Corporation. In this role, he is responsible for establishing the strategy and implementation of an effective, integrated and proactive information security and privacy program. He is also responsible for advising and partnering with leadership to guide the management of emerging and actual cybersecurity, physical information security, data privacy, third party and data governance risks. umb.com
Verify, verify, verify before transferring funds
by Justin Rainey
UNDERSTAND THE RISK
Business email compromise (BEC) scams are a type of online payment fraud that targets businesses and can result in significant financial loss. BEC involves gaining unauthorized access to a legitimate email, text message or social media account or an attempt to spoof or fake a legitimate account.
The purpose is to enable the criminal actor to send a message from an executive or business leader, vendor or client to convince an employee to transfer funds.
Once these funds are transferred to the criminal actor, it’s difficult — if not impossible — to recover the loss. Between 2016 and 2021, Americans lost approximately $9 billion to BEC fraud. It takes only minutes for a financially crippling mistake — and it can happen to anyone. Whether it’s a new hire, a 20year veteran, payables manager or CEO, the resulting impact is the same if a misstep occurs.
The good news is that there are actions businesses can take to minimize and mitigate their risk.
HOW TO IDENTIFY BEC RED FLAGS AND REDUCE RISK
The most important preventive measures to protect against BEC are vigilance and awareness. Below are several BEC red flags to look for in any communications regarding fund transfers or transactions.
Communication features:
• Spoofed communications — It’s crucial to thoroughly inspect spelling and domains on payment requests received via email. This includes carefully checking the address of the sender (email, phone number, etc.) to see if letters, numbers or the domain name are incorrect. • Use of personal accounts — Criminal actors will impersonate company leaders, vendors or clients who are using their personal accounts (email, mobile phone, social media) rather than their standard company accounts.
Focus on timing:
• Urgency — Actors using BEC write communications requesting quick action on data changes and fund transfers or set accelerated deadlines. The faster timelines can result in missed validation steps or the employee acting outside of protocol. • Relying on employees’ response to authority — These actors depend on employees being conditioned to quickly comply with requests from executive leadership or important clients and vendors. • The request comes at a busy time — Many fraudulent requests will come at the end of the workday or work week, putting pressure on employees to complete the request before the end of business (or end of month/quarter/fiscal year).
Communication and behavior:
• Communications from executives — BEC fraudsters will impersonate a real individual, most often a leader or executive at the company a person works for. • Single form of communication — Many BEC attempts will indicate that the sender is in a meeting or traveling and can’t be reached by phone or other means, and demand all communication occur via a specific communication channel such as email, text or social media. • Generic terms and odd grammar — Non-personalized greetings in an email, such as “Dear” or “Sir” or “Customer,” are red flags. Other red flags in emails are odd grammar such as “kindly,” missing punctuation or spelling errors. • Combined with fear and urgency, the prospect of being rewarded may prompt employees to skip typical procedures. These rewards can be tangible or intangible, such as being recognized for solving a problem or completing a highly important task for executive leadership.
HOW A COMPANY IS TARGETED FOR BEC
Before launching a BEC scam, criminal actors may research the company, employees and senior management to gather as much information as possible to help them craft a convincing request. They may even check travel schedules, read other business emails and review social media profiles.
Criminal actors most often identify themselves as a highlevel executive (CFO, CEO, CTO, etc.), lawyer, vendor, customer or other type of representative. In the communication, they will claim to be handling confidential or time-sensitive matters and request initiation of an urgent wire transfer.
Notably, these urgent requests also include a change to the receiving account or setting up a new account (which ultimately routes to the criminal actor). The employee receiving the communication may believe the request is legitimate and executes the fund transfer, resulting in a financial loss for the company.
BEC TIMELINE
There is a predictable sequence of events that criminal actors follow in executing a business email compromise scam.
