Business Email Compromise Scams Targeting NJ Organizations
Recently, the NJCCIC has received several reports related to social engineering campaigns targeting victims throughout the State via business email compromise (BEC) and CEO impersonation scams. Social engineering, which refers to a range of methods used to convince victims into divulging sensitive information, takes many forms and unlike generic phishing campaigns, BEC and CEO impersonation scams are highly targeted. To make messages appear more legitimate, attackers commonly spoof the source name to display the name of a familiar contact and often use email domains that mimic a trusted source. If threat actors compromise a legitimate business account, that account can then be used to send additional phishing messages that are unlikely to raise suspicion. The body of these messages often instructs the recipient to transfer funds or other sensitive information to the threat actor posing as a trusted associate. According to the FBI Internet Crime Complaint Center (IC3) 2017 Internet Crime Report, BEC was the top crime type with the highest reported loss. The NJCCIC recommends all organizations educate their employees on how to identify social engineering schemes to prevent them from taking action on these scams. We also recommend organizations have a clear policy and procedure in place to handle requests for sensitive information and financial transactions designed to thwart these types of scams. Make sure any requests for sensitive information or financial transactions require the authorization and approval of more than just the sender and recipient of the request. If an employee within your organization falls victim to a BEC or CEO impersonation scam, alert your local law enforcement immediately. Reports may also be submitted to the NJCCIC via the Cyber Incident Report form on our website.