NJCCIC
Home
Report Incidents Report Data Breaches Contact Us
Our Mission Leadership
Alerts and Advisories Public Data Breaches Threat Profiles Cyber Alert Indicator Threat Analysis This is Security Be Sure to Secure
Citizens Businesses Government Best Practices Outreach Election Security Email Encryption FAQ Glossary
Membership Internships
Home Report Report Incidents Report Data Breaches Contact Us ABOUT Our Mission Leadership Threat Center Alerts and Advisories Public Data Breaches Threat Profiles Cyber Alert Indicator Threat Analysis This is Security Be Sure to Secure Resources Citizens Businesses Government Best Practices Outreach Election Security Email Encryption FAQ Glossary Join Membership Internships
NJCCIC
New Jersey Cybersecurity and Communications Integration Cell

Don't Be Fooled: Ways to Prevent BEC Victimization

How to Avoid Falling Victim to a Business Email Compromise Attack

Between December 2017 and May 2018, Americans lost nearly $3 billion due to business email compromise (BEC) scams. The NJCCIC receives numerous incident reports from organizations around that State impacted by various BEC attacks. Unlike generic phishing campaigns, BEC scams are a highly targeted form of social engineering. To make messages appear more legitimate, attackers commonly spoof the source name or email address of a familiar contact, use email domains that mimic a trusted source, or compromise a legitimate business account. The body of these messages often instructs the recipient to transfer funds or other sensitive information to the threat actor posing as a trusted associate. The following are tips to help reduce victimization by BEC scams:

Users

  • Verify the source and instructions of any monetary transaction or other unusual requests received via email through a separate means of communication, such as a phone call. Replies to the email could be sent to the threat actor and is not an effective verification method.

  • Hover over the email sender name to determine if the address used to send the email is different than who the user claims to be.

  • Look for red flags in emails including, but not limited to:

    • The email contains poor spelling or grammar.

    • The request conveys a sense of urgency.

    • The appearance it was sent via a mobile device.

    • The request reference goods or services you are unfamiliar with.   

    • The sender identifies themselves in a non-typical way, such as using full names or their first name when they go by their middle name.

    • The email is coming from an external source but the sender claims to be someone within your organization.

    • Unusual requests, such as a request from the CEO to have all employee W-2’s be sent to them via email, or an invoice from a vendor for an abnormally large amount.

  • If you take action on a financial BEC scam, notify your supervisor and banking institution immediately to attempt to disrupt the transfer of funds.

Organizations

  • Implement filters at the email gateway to identify and block emails using known phishing tactics and those from suspicious IPs.

  • Create an email gateway rule to flag communications in which the “reply” email address is different from the “from” email address.

  • Identify emails that come from external sources outside your network by marking them with an “external email” tag in the subject and body. These emails should be given additional scrutiny.

  • Create a policy and procedure for identifying and reporting BEC emails, including periodic employee awareness training.

  • Establish policies and procedures that require any requests for highly sensitive information or large financial transactions to be authorized and approval by multiple individuals via a secondary means of communication beyond email.

  • Implement Domain-Based Message Authentication, Reporting, and Conformance (DMARC) to reduce the risk of email spoofing.

Common BEC attacks Reported to the NJCCIC

  • Wire Transfer Scam. These can come in a variety of forms, such as a CFO requesting the finance department to pay a supposed vendor for their services.

  • Direct Deposit Scam. Threat actors attempt to change employee direct deposit account information to an account controlled by the threat actor, known as payroll diversion.

  • Real Estate Wire Transfer Scam. Real estate brokers, attorneys, title agents, and buyers are being targeted by threat actors to defraud home buyers. In these highly-targeted attacks, an email account is often compromised, and the threat actor impersonates the title agent or attorney and requests the home buyer to transfer their closing costs to an account under their control. Between 2015 and the end of 2017, real estate BEC scams caused nearly $20 million in losses, a 2200 percent increase.

  • W-2 Scams. Particularly popular around tax season, in this attack, the threat actor impersonates the CEO or CFO and requests a copy of all employee W-2 forms. These are used to file fraudulent tax returns in order to steal individual’s refunds.

  • Invoice Scam. A threat actor impersonates a vendor the organization does business with, and provides them with a fraudulent invoice and payment instructions.

Scams, Account Security, Cyber Safety and Tips, Policy and RegulationsKrista ValenzuelaFebruary 6, 2019business email compromise
Facebook0 Twitter LinkedIn0 Reddit
Previous

Tax Scams and Identity Theft: What You Need to Know

ScamsNJCCICFebruary 27, 2019Identity Theft, ITRC, IRS, Phone, Email, Spoofing, Scams, Tax
Next

Seeing AI to AI: Artificial Intelligence and its Impact on Cybersecurity

Network Security, Account Security, Internet of ThingsNJCCICJanuary 16, 2019artificial intelligence, machine learning, neural networks, AI
state seal, NJOHSP seal & NJCCIC seal
 

NJ CYBERSECURITY & COMMUNICATIONS INTEGRATION CELL

PO Box 091

Trenton, NJ 08625

A DIVISION OF THE NJ OFFICE OF HOMELAND SECURITY & PREPAREDNESS

""
 
 

CONTACT US

Email: njccic@cyber.nj.gov

Phone: 1-833-4-NJCCIC (1-833-465-2242)
Press ReleasesReportSubscribeLegal Statement & DisclaimersOPRA

© 2015-2019 State of New Jersey. All Rights Reserved.

 

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.