Hopefully, by now we all know not to click on the links broadcasting free $100 Walmart gift cards that frequently litter our inboxes – most of us are on the lookout for phishing tactics and malware that just scream “spam”.
But what about an email that by all accounts looks to come from your boss?
Ever since the FBI started investigating them back in 2013, Business Email Compromise scams (BEC) have affected companies of all sizes, across all-states, and indeed the globe; costing businesses an estimated $3 billion in damages since 2015, while compromising sensitive company and personal data.
According to FBI organized crime investigator, Special Agent Martin Licciardo,“BEC is a serious threat on a global scale. And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”
What to Look Out For
Today, scammers have gone far beyond offering free gift cards with questionable addresses. Using tactics such as malware, spear-phishing, identity theft, email spoofing, and social engineering, these criminals have become masters of deception, and as such are extremely hard to detect.
A common strategy used by fraudsters, many will first gain access to company networks through viruses or spear-phishing, before spending weeks, sometimes months of time researching everything from the company’s billing practices and trusted vendors, to the CEO’s email style and travel schedule.
After sufficient data has been collected, scammers will then wait until the perfect time – such as when the CEO is away on a business trip – before sending an email to the finance department under the guise of the CEO, asking for a money transfer.
Often believable in that it’s written in the CEO’s usual voice, happens at a time when he or she would conceivably desire a transfer, and by all appearances to a trusted vendor account, many fraud victims have no idea that they were indeed victims until it is too late. Whereas once sent, unless immediately reported to both the FBI and suspected vendor, money transferred to a criminal account is extremely difficult to track and recover.
How to Avoid Becoming a Victim
So, what steps can you take to avoid becoming a victim?
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” says Special Agent Licciardo. “Don’t rely on e-mail alone.”
A few more methods of protection:
• Set up your inbox to flag emails that contain slight variations on the CEO’s email address, such as [email protected] instead of [email protected], or emails where the “reply” address is different from the initial sender;
• Color-code emails from employees to be a different shade from those sent by outside sources;
• Increase vendor protections through two-factor authentication, especially those containing phone calls for transfer approval; and lastly
• Be suspicious until proven otherwise regarding all transfer requests sent via email.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Licciardo affirms. “They are experts at deception. The FBI takes the BEC threat very seriously,” he added, “and we are working with our international partners to identify these perpetrators and dismantle their organizations.”
It’s important to make sure any e-mail communication received is valid to protect yourself and the company from potential fraud. Always double check before sending any information or money based on an e-mail request.
