How to Prevent Business Email Compromise at Your Business

Preventing Business Email Compromise

Business email compromise (BEC) is a dangerous threat facing businesses. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. This type of fraud is often conducted by sophisticated organized crime groups who use email to impersonate executives or vendors to trick businesses into sending money to an account they control.
 

How Criminals Carry Out BEC Scams

A scammer might:

• Spoof an email account or website. Slight variations on legitimate addresses ([email protected] vs. [email protected]) fool victims into thinking fake accounts are authentic.
• Send spearphishing emails. These messages look like they’re from a trusted sender and are designed to trick victims into revealing confidential information. Once they have access to this information, criminals can view company accounts, calendars, and other data that gives them the details they need to carry out the BEC schemes.
• Use malware. Malicious software, a.k.a. malware, can infiltrate company networks and gain criminals access to legitimate email threads containing billing and invoice data. Users may unknowingly encounter malware through infected links or websites. This information is then used replicate and authenticate payment requests so accountants or financial officers don’t question the request. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

Protecting your business from devastating BEC fraud losses requires a partnership between you and your bank. That’s why at SouthState we created a guide that gives you the tools to assist in protecting your business from these types of attacks.

Below are some common BEC scams:

BEC Example: Compromised Vendor Email

1. Scammer sends phishing email to vendor with instructions to click on a link
2. Vendor clicks link that downloads malware to the vendor’s computer, giving control of email to scammer
3. Scammer creates an email forwarding rule that sends them copies of all emails with words like “payments, invoice, ACH or wire” to him
4. Scammer flags legitimate invoice from a vendor
5. Scammer uses vendor’s compromised email to send you invoice with fraudulent payment instructions
6. You pay the invoice, sending payment to the scammer instead of the vendor

Prevention key: Calling the vendor to confirm the payment instructions
 

BEC Example: Compromised Business Email – Accounting

1. Scammer sends a phishing email to accounting manager
2. Accounting manager clicks link that downloads malware to the vendor’s computer, giving control of email to scammer
3. Scammer learns you are expecting large invoice from vendor
4. Scammer creates “look-alike domain,” or email address deceptively similar to your vendor’s legitimate email address
5. Scammer sends legitimate invoice information with fraudulent payment instructions
6. Accounting manager pays invoice, sending funds to fraudulent account

Prevention key: Calling the vendor to confirm the payment instructions
 

BEC Example: Compromised Business Email – CFO

1. Scammer sends a phishing email to CFO with instructions to reference an included attachment
2. CFO opens the malicious attachment, giving the scammer control of their email
3. Scammer uses compromised email account to send accounting manager a substantial wire request
4. Scammer claims CFO is in a meeting and the request is urgent
5. Accounting manager follows instructions and wires money to the scammer’s account

Prevention key: Do not wire funds without verification by calling CFO
 

How to Protect Yourself Against BEC Attacks

Protecting against BEC attacks requires successfully implementing and executing many important controls. The most critical control is a properly executed callback to verify requests. It is essential a phone call is made to verify payment requests and change payment instructions. The phone number used for this callback should never be one that is provided in an email or text. Instead, it should always be a trusted phone number you already have on file for the actual individual sending the request.

These additional controls can help to protect your business against BEC attacks:

• Train all employees in information security best practices, such as how to detect and report phishing attacks.
• Train anyone involved with payments on the dangers of BEC attacks, the controls your organization has in place, and how to respond if your organization falls victim.
• Consider engaging a third-party brand protection service to actively look for look-alike domains impersonating your email domain. These domains can be used to trick your employees or your business partners as part of a BEC attack.
• Train employees to take phone calls from SouthState Bank to discuss unusual transactions seriously. This is an opportunity to pause and validate that proper controls, including callback verification, have been followed. This could be your last chance to avoid an unrecoverable fraud loss.
• Validate all requests to add/update contact information, such as phone numbers, emails, or mailing addresses, the same way you would a request for payment – with callback verification. Scammers may attempt to change phone numbers for someone they are impersonating before they launch a BEC attack, or they may attempt to trick you into changing an address so that a high-dollar check is sent to them instead of your intended recipient.
• Use a trusted phone number from existing internal records instead of numbers obtained from an invoice or email. Scammers can replicate invoice and email templates.
• Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Develop a response plan in case you fall victim to an attack.

BEC Scam Red Flags

• Vendor requests to switch payment accounts due to a seemingly implausible reason such as audit or tax issue
• Vendor requests several account changes in a short period of time
• Uncommon or misused phrases. One example is “Kindly send a wire” instead of “please send wire to..” Kindly is an unusual word in North America, but very common for overseas fraudsters to use in BEC attacks.
• Emails are sent at unusual times and outside of normal business hours.

 

Look-alike Domains

In some cases, fraudsters will use deceptive email domains to trick readers into thinking an email came from a legitimate source. They may combine, drop or add one letter.

Correct domain: [email protected]
Fradulent examples:

• JohnSmith@XYZCompanys.com
• JohnSmith@XYZCompny.com
• JohnSmith@XYZCompnay.com

 

How to Respond if Your Business Falls Victim to BEC Attacks

If you discover your organization has fallen victim to a BEC attack, it’s critical you take immediate action to maximize chances of recovering funds.

1. Notify SouthState Bank immediately so we can contact the beneficiary bank and request the return of funds.
2. File a report with the FBI’s Internet Crime Complaint Center at IC3.gov.
3. Contact your local FBI field office. In some cases, the FBI can assist victims of BEC attacks in recovering funds.
4. If the FBI will not get involved with the recovery process, contact your local United States Secret Service field office to determine if they can assist with the recovery of funds.
5. Contact your state and local law enforcement agencies to notify them of the attack. In some rare circumstances, state and local law enforcement may also assist with the recovery of funds.
6. Contact your information technology or information security provider to let them know about the incident. You might have a compromised email or compromised computer network that needs to be secured to prevent further attacks against your organization.
7. Review other recent payments to determine whether they went to the intended recipient and look for any other suspicious activity.

If you sent funds overseas, you should also consider contacting the appropriate national law enforcement agency in the country where the beneficiary bank resides. You should also consider retaining legal counsel who has a presence in that country to assist with the recovery process.

SouthState Bank will use all resources at its disposal to attempt to recover stolen funds. However, a full recovery of funds is unlikely, especially if the Bank is not notified immediately. Even when funds are available for recovery, in most situations, it can take 30 to 90 days or more for the beneficiary bank to send back funds.

As a reminder, please contact our Treasury Management Support team at [email protected] or (877) 840-8588 should you ever have concerns about the safety of your account(s).