Beware, an old enemy has returned!
When an employee gets an email from the owner or CEO of the company asking for invoice information, Personally Identifiable Information (PII), or Wage and Tax Statement (W-2) forms for employees, most people wouldn’t think much about the request. They may see it as a bit odd the boss is coming to them directly via email, or not following the normal process, but most wouldn’t think twice about providing the information. It is the boss after all. Except, it isn’t.
While there has been a renewed focus on information security in recent history, fraudsters are still out there targeting the weakest links in *SMB cyber-security, the human users. Taking over an executive’s email, or even just spoofing the address, these fraudsters will imitate the companies process as much as possible to trick an employee into providing confidential information, or in the most popular case, to wire funds to the fraudsters accounts.
The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” The FBI goes on to admit “It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam.”
Even though this is not a new scam, it is still finding success in *SMBs (a business which, due to its size, has different IT requirements—and often faces different IT challenges—than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained. ) all over the country. From January 2015 to December 2016 (most recent published data) the FBI reported a 2,370% increase in losses from this type of fraud. The combined loss of the 3,818 reported incidents was roughly $794,625,372. Revisiting the scam again in 2017 the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC as a single crime type for the first time.
So, what’s the big deal now if this has been going on for so long? Well, now we are seeing fraudsters targeting businesses right here in the Lehigh Valley. When our clients call up and ask us to look at suspicious email two things happen immediately. One, we get a sense of pride knowing the awareness we are building for them around cyber security issues has prevented a potential catastrophe for them. And two, we get one more piece of evidence showing how cyber-criminals have identified the relatively open field of potential SMB victims.
Knowing the average SMB is facing huge budget concerns when considering cybersecurity solutions, and the shortage of qualified cybersecurity professionals, cybercriminals are moving into the SMB area with a vengeance. According to a 2017 Better Business Bureau study nearly 1 in 4 SMB had experienced some type of cybersecurity event, be it malware, ransomware, or a full data breach.
In response to the increase of BEC events, the FBI published a list of recommendations to put in place to mitigate the risk, which we fully endorse:
Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
Be careful what you post on social media and company websites, especially job duties and descriptions, hierarchical information, and out-of-office details.
Be suspicious of requests for secrecy or pressure to take action quickly.
Consider additional IT and financial security procedures, including the implementation of a two-step verification process.
Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail or open attachments. These often contain malware that will give subjects access to your computer system.
Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
Register all company domains that are slightly different than the actual company domain.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments.
Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
For more information on how to protect your business from these and other threats, contact us today and we will be happy to go over options that best fit your business. Remember, the best security system in the world doesn’t mean anything if you can’t get your employees to use it and still be productive.
Federal Bureau of Investigation IC3 (https://www.ic3.gov/media/2017/170504.aspx)
*SMB-a business which, due to its size, has different IT requirements—and often faces different IT challenges—than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.