Today's cyber criminals are no longer content with phishing -- sending emails that purport to be from a reputable organization but contain a link to a fake website (where you may be prompted to enter personal information or download malware). Instead, they're stepping up their game with business email compromise (BEC).
According to the FBI, BEC is when criminals use email to abuse trust in business processes, scamming organizations out of money or goods. This type of fraud is different from traditional phishing scams, as criminals impersonate business representatives using similar names, domains, or fraudulent logos. They may even use compromised email accounts from internal personnel and pretend to be a trusted co-worker.
Common scams associated with business email compromise include:
· Invoice fraud: Criminals compromise a vendor's email account and help themselves to legitimate invoices. The criminals then edit contact and bank details on those invoices and send them to customers with the compromised email account. The customer pays the invoice, thinking they are paying the vendor.
· Employee impersonation: Criminals compromise a work email account and impersonate a co-worker via email.
· Company impersonation: Criminals register a domain with a name very similar to that of a known and trusted organisation.
Legitimate situations used as bait
Small businesses are being hurt financially by these types of scams. Earlier in 2021, the US Attorney's Office for the District of Massachusetts issued a warning to small businesses that received loans through the Paycheck Protection Program (PPP), noting a dramatic increase in reports of BEC schemes related to the program.
In December 2020, the Small Business Administration (SBA) released the exact loan amounts for more than 600,000 small businesses and non-profit organizations that received at least $150,000 in loans. Scammers used this information to impersonate PPP lenders requesting additional information about loan applications or loan forgiveness.
What makes these scam emails dangerous isn't just the level of sophistication, according to security researchers at Microsoft. Because they look like legitimate network traffic, BEC attacks generally evade spam lists and have a much higher likelihood of 'landing' in target inboxes.
Microsoft noted BEC attacks are usually not detected until they cause significant monetary loss, because many security solutions offer limited or partial visibility into discrete infrastructure elements. In order to detect a BEC early, an organization must have comprehensive visibility into email traffic, identities, endpoints, and cloud behaviors, plus the ability to correlate what seem to be isolated events and deliver a more sophisticated, cross-domain detection approach.
Protection is the key
There are a number of ways small businesses can safeguard against BEC:
· Use multi-factor authentication, so that passwords alone aren't enough for users to access business email and systems.
· Establish a clear and consistent business process for workers to verify and validate requests for payment and sensitive information.
· Develop and maintain good security controls, including that ever-critical factor, user training.
The Australian Cyber Security Centre (run by the Australian Department of Defence) advises businesses to consider registering domains that look similar to that of their organization (for example, replace letters such as 'l' and 'o' in the company name with digits such as '1' and '0').
Small businesses that operate their own email servers and domains should implement email verification, as well. Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC) are controls designed to detect fake emails by specifying which mail servers are authorized to send emails on behalf of an organization's domain.
The FBI recommends that everyone in an organization be made aware to:
· Not click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one listed by the potential scammer), and call the company to ask whether the request is legitimate.
· Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and get the click.
· Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
· Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
· Verify payment and purchase requests in person, if possible, or by calling to make sure it is legitimate. Verify any changes in the account number or payment procedures with the person making the request.
· Be especially wary if the email is pressing the recipient to act quickly.
Secure expert help
Dell Small Business Solutions is a valuable source of guidance for organizations that want to avoid these attacks with the help of cyber security and network protection measures.
If a business does fall victim to a BEC scam, though, it's important to act quickly and contact any financial institutions immediately. Ask your payment processor to contact the financial institutions on the receiving end of any fraudulent transactions. Next, contact your local FBI field office to report the crime and file a complaint with the FBI's Internet Crime Complaint Center.