Business Email Compromise Scams (BEC) are hitting financial institutions hard, and the threat only seems to be increasing. CEOs, CFOs, and financial employees are at a high risk of being targeted in BEC schemes, regardless of company size. Whether a small, community credit union or a multi-million dollar financial institution, these targeted schemes are impacting the bottom line for businesses across the globe – and here is what they all have in common: the targeted business must work with foreign suppliers and/or utilize wire transfer payments regularly.
What is a BEC Scam?
Also known as CEO fraud, and more generically phishing, a BEC scam isn’t carried out until the attacker(s) have done their research, ensuring a more favorable outcome. The criminals first choose a business to target and will then do online research via social media channels to locate the exact, accurate names of the CEO and CFO, finally targeting an employee — usually one that works in the finance department, company attorney, long-time company vendor, or client — to carry out the attack against.
Once a target has been selected, the criminals then send fraudulent email correspondence usually impersonating the CEO or CFO of the target company, attempting to fool the victim into initiating a wire transfer. If successful, the BEC attack will result in gaining access to the target’s business systems and records, including employee credentials, and the possibility of an enormous financial loss for the target company.
How Can these Scams be Effective?
While it may seem like common sense may be all that’s required to avoid BEC and phishing scams, the criminals are quite savvy in determining what to say or do, in order to obtain the desired action from the target. These criminals are educated, intelligent, and have spent countless hours planning these attacks. According to the experts at FraudWatchInternational.com, there are several ways in which the criminals will create a feeling of legitimacy in these efforts, including:
- Spoofing of legitimate email addresses;
- Writing in an urgent tone, asking the victim for the funds to be transferred immediately;
- Writing that “they” (the CEO or CFO) are in a meeting and cannot be disturbed with emails, texts or phone calls;
- Giving the idea that that the sender of the email is using a mobile device to create and send the email, by including the signature “Sent from my iPad”, instead of the standard corporate email signature. This is one of the most effective methods, as the normal “red flags” (typos, poor grammar, lack of corporate signature), because mobile devices are often “excused” from triggering them.
BEC Scam Facts
Keeping a close watch on cybercrime – particularly BEC scams – the FBI compiled the following statistics, as reported from 2016:
- BEC scams have occurred in every U.S. state, and in a minimum of 80 countries;
- More than 17,000 people were victims of BEC scams from From October 2013 to February 2016, with losses exceeding $2 billion USD;
- There has been a 270 percent increase in exposed losses and identified victims of BEC scams since January 2015.
Minimize Your Risk Through Education
Educate employees about the various ways in which criminals target financial institutions and their workforces will add an extra layer of protection. Be sure to:
- provide employees with proper, accurate and thorough training about targeted cybercrime, and ways to validate the legitimacy of correspondence.
- require careful monitoring of email addresses, to help avoid spoofing attempts.
- stress the importance of questioning anything suspicious. Regardless of the instruction received in email, encourage employees to ensure the validity of the request through contact with the implied sender, or his/her designated representative
- utilize two-factor or multi-level authentication procedures for every wire transfer, regardless of situation or circumstance.
At IMS, we sincerely care about the protection and privacy of your data, employees, and members. We work with credit unions nationwide, to assist in minimizing risks and maintaining the safety of your data. If you would like to discuss how we can help protect you against financial cybercrime, contact us today or complete the form below!