BUSINESS EMAIL COMPROMISE
Veritex Bank has seen an increase in the incidences of Business Email Compromise and wants to protect you, our customer, from falling victim to this type of criminal activity. The approaching vacation season, with more executives and employees out of the office, leaves businesses exposed to vulnerabilities and attacks by fraudsters. It is our goal to not only serve your financial needs, but to protect your business from falling prey and being victimized by fraudsters. Here’s the latest on this emerging trend.
What is Business Email Compromise (BEC)? BEC refers to social engineering attacks used to convince those in charge of finances at an organization to send large payments to fraudsters. These attacks are carried out over email conversations initiated by a scammer who spoofs the identity of an executive within the organization or a vendor requesting payment. Victims of the BEC scam range from small businesses to large corporations.
HOW TO IDENTIFY A FRAUDULENT EMAIL
Deceptive Characters: It will appear similar to the person’s normal email address but will have different characters that mimic the legitimate email address.
Example: email@example.com vs. firstname.lastname@example.org
Incorrect Punctuation: Compare the email address to a previously verified message to make sure the punctuation is in the right place.
Example: email@example.com vs. firstname.lastname@example.org
Misspelling: Look for typos within the email address to see if it is a fake email address.
Example: email@example.com vs. firstname.lastname@example.org
Bad Grammar: Fraudsters typically use bad grammar and unusual language in the body of the email. Ask yourself if the email sounds normal for the person who initiated it.
Examples: “It’s really important this money goes out but I’m not available so don’t call me just email me.”
“I need this done today but I’m at the doctor’s office. You can reach me through email.”
Urgency and Secrecy: Many times, the fraudster will try to get the recipient to rush to send the funds, hoping to get the money sent before they are detected. Be suspicious of emails that request all correspondence stay within the same email thread, such as “Only use Reply, not Forward”. These should be confirmed with a phone call.
Examples: “Make this one-time exception. I really need to get this done ASAP.”
“I’m out of town and this must be sent immediately. This must be kept confidential because it’s for a top-secret business deal.”
BEST PRACTICES FOR BUSINESSES TO PREVENT AND DETECT BEC
CONFIRM: Call the executive or the client and do not send the funds until the request has been confirmed. Do not use a phone number from the suspicious email. Always use a phone number from a verified source.
CALL: DO NOT email the client to confirm their request. If their computer has been hacked, you will likely be communicating with the suspect. Use only a known phone number.
CHECK: Check for changes in business practices and consistency with previous requests. Is this a normal payment and type of communication from the executive or vendor? If the request is from a vendor, check for changes to business practices.
COACH: Coach your employees and executives. Executives need to be tolerant and supportive of employees double-checking requests. Make sure your employees are trained to understand BEC.
CONTROLS: Establish controls such as limiting the number of employees who have the authority to submit or approve wire transfers and ACH payments. Implement dual control for financial transactions. Implement a callback policy for financial transactions as well. Use a purchase order model for wire transfers and ACH payments. Establish a company domain for company email instead of using open email services such as Gmail or Yahoo. Consider who needs access to email when they are not in the office. Be careful what is posted to social media and company websites.
THE DEFENSE: BEST PRACTICES FOR BUSINESSES TO DETECT BEC CHECK
- Check for correct email addresses
- Check for requests for secrecy or urgency
- Check for consistency with earlier wire payments
- Use an alternate communications channel
- Ask the CEO
- Implement dual controls
- Coach your employees
- Coach your executives
- Be conscious of how information on website and social media can be used
- Trust your financial institution