Cyber-enabled crimes: The FBI’s 2018 Internet Crime Report shows the prevalence and financial toll of online theft, fraud and exploitation – anyone who uses a connected device can become a victim.
Nearly half of the US$2.7 billion losses in 2018 was attributed to Business Email Compromise (BEC), also known as Email Account Compromise (EAC). BEC/EAC is a sophisticated scam targeting both businesses and individuals performing wire transfers. These scams rely on hackers compromising a legitimate email account, which they use to send out emails to trick employees at the same company or upstream/downstream business partners to wire funds into their accounts, using fake invoice or business contracts.
The term BEC is also used in situations where thieves don’t necessarily hack into an employee’s email account, but merely spoof a business partner’s identity, and use an employee’s lack of attention to them into paying for fake or legitimate contracts to the wrong bank accounts.
Losses from BEC scams are expected to go even higher in the coming years since they require little technical skills to carry out, and are notoriously difficult to detect, as most emails come from (compromised) legitimate accounts, which victims tend to trust. Because these scams are usually well-researched and rely more on social manipulation than technical exploits, they can get through anti-virus programs and spam filters.
Hackers with access to an email account can easily reset passwords for any other accounts using the email, opening the gate for further potential compromise.
How to Protect Your Business
Businesses need to ensure they have a robust cyber security program which includes two-factor authentication on accounts, multi-person approval process for transactions over a certain dollar threshold, and up-to-date IT security. But the best defence for an organisation to protect itself against a BEC scam is a staff that routinely undergoes security awareness training and has been encouraged to trust their instincts.
If something seems suspicious, employees should pick up the phone and speak directly to the requester, whether that be a supplier or the your business’s CEO, before paying accounts.
Contact Stratium Global to find out how we can help you build a cyber security program or develop your own security awareness training.