Don't Be Fooled: Ways to Prevent BEC Victimization
How to Avoid Falling Victim to a Business Email Compromise Attack
Between December 2017 and May 2018, Americans lost nearly $3 billion due to business email compromise (BEC) scams. The NJCCIC receives numerous incident reports from organizations around that State impacted by various BEC attacks. Unlike generic phishing campaigns, BEC scams are a highly targeted form of social engineering. To make messages appear more legitimate, attackers commonly spoof the source name or email address of a familiar contact, use email domains that mimic a trusted source, or compromise a legitimate business account. The body of these messages often instructs the recipient to transfer funds or other sensitive information to the threat actor posing as a trusted associate. The following are tips to help reduce victimization by BEC scams:
Verify the source and instructions of any monetary transaction or other unusual requests received via email through a separate means of communication, such as a phone call. Replies to the email could be sent to the threat actor and is not an effective verification method.
Hover over the email sender name to determine if the address used to send the email is different than who the user claims to be.
Look for red flags in emails including, but not limited to:
The email contains poor spelling or grammar.
The request conveys a sense of urgency.
The appearance it was sent via a mobile device.
The request reference goods or services you are unfamiliar with.
The sender identifies themselves in a non-typical way, such as using full names or their first name when they go by their middle name.
The email is coming from an external source but the sender claims to be someone within your organization.
Unusual requests, such as a request from the CEO to have all employee W-2’s be sent to them via email, or an invoice from a vendor for an abnormally large amount.
If you take action on a financial BEC scam, notify your supervisor and banking institution immediately to attempt to disrupt the transfer of funds.
Implement filters at the email gateway to identify and block emails using known phishing tactics and those from suspicious IPs.
Create an email gateway rule to flag communications in which the “reply” email address is different from the “from” email address.
Identify emails that come from external sources outside your network by marking them with an “external email” tag in the subject and body. These emails should be given additional scrutiny.
Create a policy and procedure for identifying and reporting BEC emails, including periodic employee awareness training.
Establish policies and procedures that require any requests for highly sensitive information or large financial transactions to be authorized and approval by multiple individuals via a secondary means of communication beyond email.
Implement Domain-Based Message Authentication, Reporting, and Conformance (DMARC) to reduce the risk of email spoofing.
Common BEC attacks Reported to the NJCCIC
Wire Transfer Scam. These can come in a variety of forms, such as a CFO requesting the finance department to pay a supposed vendor for their services.
Direct Deposit Scam. Threat actors attempt to change employee direct deposit account information to an account controlled by the threat actor, known as payroll diversion.
Real Estate Wire Transfer Scam. Real estate brokers, attorneys, title agents, and buyers are being targeted by threat actors to defraud home buyers. In these highly-targeted attacks, an email account is often compromised, and the threat actor impersonates the title agent or attorney and requests the home buyer to transfer their closing costs to an account under their control. Between 2015 and the end of 2017, real estate BEC scams caused nearly $20 million in losses, a 2200 percent increase.
W-2 Scams. Particularly popular around tax season, in this attack, the threat actor impersonates the CEO or CFO and requests a copy of all employee W-2 forms. These are used to file fraudulent tax returns in order to steal individual’s refunds.
Invoice Scam. A threat actor impersonates a vendor the organization does business with, and provides them with a fraudulent invoice and payment instructions.