As the number of connected devices continues to rise, so does the sophistication of cybersecurity threats. Namely, scammers using advanced methods to compromise business email accounts. Business email compromise (BEC) spans across all industries - retail, healthcare, financial institutions and nonprofits.
In today's age, business email compromise is most common in payments fraud, especially wire transfers. Wire transfers are especially appealing to scammers because fraudsters know that wired money is nearly impossible to recover due to immediate settlement and availability of those funds.
How Business Email Compromise Works
According to FirstBusiness.com, fraudsters monitor their victims by studying their behavior. They learn which employees are needed to make wire transfers and what the company's process is to initiate and complete transfers before the scam even begins.
Most often, cyber intrusions are initiated through a phishing email or malicious link. Employees unknowingly click the link and scammers instantly have access to that email account.
Scammers then pose as that employee through the spoofed account, and send urgent transfer requests with payment instructions from the account. Employees are less likely to question the wire transfer request if it's from somebody they trust, like a high-level executive, trusted vendor or government agency. In most cases, employees don't know they've been scammed until it's too late.
Fraudsters also sneak by using very similar email addresses to a trusted vendor, for example, to initiate a transfer request. For example, email@example.com vs firstname.lastname@example.org. The variation in the email address is slight but easily overlooked, and an employee would need to be paying close attention to where the request is coming from to know that the request is not actually a legitimate request.
Another popular method is called "CEO Fraud," where scammers gain access to a high-level executive's email address, and send wire transfer requests to lower level employees. Without questioning or double checking the executive, the lower level employee processes the wire, often times to another financial institution.
Preventing Business Email Compromise and Payment Fraud
With proactive practices in place, cyber fraud doesn't have to happen to your company.
- Most importantly, always verbally verify the authenticity of the wire transfer request. Call the person who requested the transfer using a phone number you've used previously, not the phone number in the request.
- Have a call-back verification process when setting up payment instructions for a new vendor or making changes to an existing vendor's payment instructions.
- Understand email scams and educate employees. Education is key to protecting your financial assets and avoiding fraud.
- Review your business insurance policy and ensure it covers financial losses due to cybersecurity fraud.
Unfortunately, It is not a matter of if your company will be a victim of a cybersecurity hack attempt anymore, but a matter of when. Review this fraud protection checklist to ensure your company is protected from cybersecurity scams.
Sarah is the Media Specialist at Heartland Bank. She graduated from Nebraska Wesleyan University with a degree in Communication Studies. Sarah enjoys spending time with her family and friends and organizing and decorating her home.