The internet has changed the way businesses operate around the world. Having access to a tool of this caliber is essential to the way corporations function today, but it also has its downfalls. In this case, we’re referring to the incredibly dangerous threat most business owners are either unaware of or hardly ever think about – cybercrimes like Business Email Compromises (BEC).
Over the years, hackers have perfected their craft, advancing from implementing mild viruses to successfully committing largely damaging offenses like Denial-of-Service (DoS) attacks andinfiltration of the FBI and DHS databases.
One of the least sophisticated, but arguably most effective, types of hacks putting organizations at risk are BEC scams. Originally referred to as “Man-in-the-E-Mail scams,” BECs work because they appear to come from an internal company source. It’s the kind of deceit that makes you shudder when you realize the logistics – someone out there has been watching you on social media, observing your business behavior and keeping tabs on when you or your employees are available.
BEC scammers do not discriminate against small or large businesses. They do, however, have three potential patterns that are imperative for you to be aware of should you become a victim.
BEC Scam #1: “The Supplier Swindle”
“The Supplier Swindle” is also referred to “The Bogus Invoice Scheme” or “Invoice Modification Scheme.” Many businesses have great relationships with their supply chain partners. Some of the suppliers a particular organization works with may be located in foreign countries and/or may require the regular use of wire transfers as a form of payment.
According to the FBI Public Services Announcement of January 22, 2015, “The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed.”
Whether or not an organization’s supply chain includes companies located in other countries, they’re still a vulnerable and believable source for hackers. A company may be asked to wire money to an alternate account that turns out to be fraudulent. Usually, this request is made through email as these accounts are not difficult for a hacker to tap into. Beware of this scam as it can often appear like a reasonable request for payment.
BEC Scam #2: “The Business Executive Scam”
Often referred to as “CEO Fraude,” “The Business Executive Scam” or “Financial Industry Wire Frauds,” we’ll be calling it The C-Suite Breach. High-level executives and members of a companies’ C-Suite make great targets for hackers. In fact, they’re the hardest to track because very few employees would question their supervisor’s actions and motives.
Cyber criminals hack into their victims’ email accounts and send credible messages to a member of their organization asking for an immediate wire transfer or that an upcoming payment be redirected to a new account. These accounts are spoofs that are often believed to be legitimate because these hackers have learned their victim’s behavior, in this case, the CEO, CFO, CIO or other high level executive of an organization.
Typically, the cyber criminal will observe their target’s behavior to pick up on the type of language they use, track their social media accounts to find the perfect time to strike and/or attack when the victim is out of town and has little time to communicate with their staff. With this much effort, who wouldn’t mistake it to be a real request?
BEC Scam #3: The Vulnerable Employee
There is no clever name often used to describe the vulnerable employee scam. This one isn’t a knock in the park for hackers as the other two often are, but it’s equally as important to recognize. This type of scam occurs when an employee’s personal email is hacked and used to request wire transfers from members of an organization’s supply chain or the employee’s colleagues.
It’s easy to overlook an email domain when you see a sender name you recognize. Whenever possible, do not use public Wi-Fi-networks and avoid using your personal accounts for anything remotely business related.
Have you ever experienced any of the three types of Business E-mail Compromise Scams? If so, tell us about it by tweeting to @ID_Agent.