Browse the Knowledge Center

Don't fall victim to the $43 billion dollar scam

Written by Koppinger & Associates | Apr 6, 2023 5:00:08 PM

You depend on your finance team to handle incoming and outgoing financial transactions.  What happens when it appears you have satisfied a payment obligation only to discover funds have been transferred to a fake account?  The money is gone, but until the correct party is paid you remain liable.

Business email compromise (BEC) is a sophisticated social engineering attack that enables criminals to cash in on an easy payday.  BEC involves an email message that appears to come from a known source making a legitimate request, like the following examples:

  • A vendor your company regularly deals with sends an invoice with updated banking account information
  • A vendor your company regularly deals with sends an invoice directing payment be sent to a different address than normal
  • A company CEO requests the purchase of multiple gift cards to send out as employee rewards and requests the serial numbers be emailed back so the cards can be sent out right away

Best Defense to Prevent becoming a Victim of BEC

Adopt a "zero trust" email policy and educate all of your employees on basic cybersecurity protocols, including the following:

  • Educate employees, clients, and vendors to:
    • Authenticate all financial transactions through dual-factor authentication, for example logging in with a password and then receiving a text or email message to confirm who is logging in
    • Confirm all payment method changes using trusted and authenticated information, for example verify odd payment requests by contacting the requestor on a known phone line, not the number given in the email
    • Learn the habits of those with whom they conduct financial transactions
  • How to detect phishing emails by providing examples and guidance on how to verify suspicious emails
  • Effective password management and encryption protocols for internal and external emails
  • Avoid responding to emails that are suspicious or from unknown sources
  • Locking and encrypting access to computers and files containing sensitive information
  • Implementing guidelines for maintaining and communicating sensitive data
  • Implementing protocols on how to request and respond to requests for sensitive employee information and how to securely send such information through a secure file transfer system
  • Enable multi-factor authentication
  • Conduct BEC drills, similar to anti-phishing exercises.

The best way to spot a fake email is to scrutinize it.  Teach employees to pay attention to the following:

  • Language and Grammar - Is this the way the impersonated individual would speak?  If unsure, call the person on a known phone line to verify the email was sent by them
  • Sender information that doesn’t match the email address 
  • Spelling mistakes
  • Urgency of request - requestor is unreachable but insists the transfer is urgent
  • Emails containing unsolicited attachments and links

Michigan State Police resources available at Michigan Cyber Command Center (MC3)

What if a BEC Email is Responded to

If you suspect you responded to a BEC phishing attempt and revealed some contact details or other privileged information, do the following:

  1. Immediately report the incident to your organization’s IT/cyber security team
  2. Notify your bank, credit card provider, and financial institution of the scam
  3. Request your bank to suspend all transactions
  4. Change passwords for email and financial accounts
  5. Look through account statements for any suspicious activity
  6. File a police report

What if You Fall Victim to a BEC Scam

  • An immediate response is crucial, funds are moved within minutes of a BEC incident
  • Contact your bank to reverse the wire
  • Contact local law enforcement to request a report, which is needed to reverse a wire
  • Contact a Secret Service field office Cyber Fraud Task Force
  • Law enforcement can work with FinCEN to initiate Financial Fraud Kill Chain
  • File a complaint with the Internet Crime Complaint Center (IC3)
  • Review email systems for unauthorized access or rule creation
  • Conduct a cyber security analysis on your systems
  • Change all login credentials

 

The threat of BEC is an increasing problem for all businesses. 
Now is the time to evaluate and update your cyber security plan. 
No plan means no protection. 
Koppinger & Associates has resources to help, contact us.