Business Email Scams a Top Fraud Threat
to Treasury and Finance Professionals
Criminals reportedly stole nearly $750 million from more than 7,000 U.S. businesses between October 2013 and August 2015. Combined with international victims, the FBI estimates that more than $1.2 billion has been lost due to business email compromise (BEC) scams, also known as "CEO fraud". BEC scams often begin with a phishing email that gives a fraudster access to a company employee's email account. Stu Sjouwerman, founder and CEO of IT security firm KnowBe4, explained that for an extended period of time-sometimes several months-the fraudster will monitor a compromised employee's email and determine who initiates wires and who requests them. From there, they'll either spoof an email or create a domain that's close to the company that they are targeting. "The domain will look really close to the domain of that particular company and they'll send an email from the CEO," he said. "It looks like it's totally real." When you receive an email from one of your contacts, do you just accept that you are talking to that person? Do you know for sure that the person you're communicating with is who they say they are? Even if you're familiar with your contact's writing style, remember someone else could be familiar with that as well and could be copying them. This is the way treasury and finance professionals need to be thinking in the current threat environment. Once people actually begin to think about things differently, they can better understand the threats.
Best Practices for Handling BEC Scams
- Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the request are out of the ordinary.
- Register all company domains that are similar to the actual company domain.
- Confirm requests for funds transfers. When using phone verification, use previously known numbers and not the numbers provided in an email request.
- Know the habits of your customers when it comes to payment habits and amounts. Flag anything out of the ordinary.
If you believe you've been the victim of this type of attack, you should immediately contact the sending bank and contact your local FBI office. The FBI, working with the Financial Crimes Enforcement Network (FinCEN), might be able to help return or freeze the funds. File a detailed complaint with www.IC3.gov. Be sure to identify the incident as a "BEC" scam.
|