Tips for Protecting Your Business
Best Practices For Businesses to Detect the Business Email Compromise Scam
BEC is an acronym for “business email compromise.” and refers to social engineering attacks used to convince those in charge of finances at an organization to send large payments to scammers. These attacks are carried out over email conversations initiated by a scammer who spoofs the identity of an executive at the organization. For your protection, you should always carefully monitor your bank accounts for fraudulent activity. If you ever see anything unusual, immediately call Veritex Customer Service at 833-837-4839.
Confirm the E-Mail Request
Check any email request to see if it is consistent with how earlier wire payments have been requested. Is this normal activity for the executive making the request?
- Be suspicious of requests for secrecy or urgency. Emails that request all correspondence stay within the same email thread, such as “Only use Reply, not Forward” should be confirmed with a phone call.
- If a payment request is from a vendor, check for changes to business practices. Is this type of communication and payment request typical for this vendor? Use an alternate mechanism to verify the identity of the person requesting the funds transfer. If the request is an email or fax, then call and speak to the person using a known phone number to get a verbal confirmation. If the request is via phone call, then confirm using a known email address. NEVER reply to the email or use the phone number in the email.
- Look carefully for small changes in email addresses that mimic legitimate email addresses. For example, .co vs. .com, or abc-company.com vs. abc_company.com. If you receive an email that looks suspicious, forward it to your IT department for review.
- Limit the number of employees who have the authority to submit or approve wire transfers.
- Implement dual approvals for financial transactions. Avoid having the two parties responsible for dual approvals in a supervisor/ subordinate relationship as it could undermine the effectiveness of the process. Once they’re in place, be sure to always follow established procedures.
- Use a purchase order model for wire transfers. This will help ensure that all payments have an order reference number that can be verified before approval.
- Establish a company domain for company email instead of using open source email services such as Gmail or Yahoo. Businesses that use open source email are most targeted by scammers.
- Consider who really needs access to email when they are not in the office. If you don’t need web access to email, turn webmail off as it provides another attack point for criminals. If you must provide web access to email, limit accessibility by implementing VPN or another security control.
Training is Key
- Spread the word. Coach your employees about Business E-Mail Compromises and the warning signs. Alert receptionists, admins, and others to not provide executive’s travel schedules over the phone to unknown callers. Encourage employees to ask questions.
- Be careful what is posted to social media and company websites. Do not post scheduling details for executives as criminals have been known to launch these attacks when they know an executive is traveling.
- Slow down and be suspicious of requests to take action quickly.
- Trust your financial institution. If they question a payment, it’s worth a couple minutes to cooperate with them to confirm it is legitimate.
- Executives need to be tolerant, indeed supportive, of employees double-checking requests.
What To Do If You're Hit By the Scam
Report the Attack
Businesses that have been victimized by the BEC scam are encouraged to file a report with the FBI’s “Internet Criminal Complaint Center” (IC3) at www.IC3.gov or contact their local FBI office. Additionally they should contact their financial institution and report the attack with them as well.
Timing is Critical
If notified immediately, financial institutions and law enforcement have a better chance of recovering the stolen funds. Waiting even 24 hours to report an incident can greatly diminish law enforcement’s ability to recoup funds.
- When reporting the incident to law enforcement, identify the complaint as “Business Email Compromise” or “BEC” and provide:
- A general description of this crime, how and when it occurred
- Header information from the email message the executive sent internally to request the funds transfer
- The specific wiring instructions, including beneficiary and account details for where the transfer was to be sent
- Attempted and actual loss amounts
- Other relevant information you believe is necessary to support your complaint
You will not be able to add or upload attachments with your IC3 complaint if it’s filed online; however, retain all relevant information in the event you are contacted by law enforcement.
Complete an Internal Review
Businesses are encouraged to conduct an internal review to determine how the attack occurred and if changes are needed. Specifically:
- Was the email system hacked? If so, are additional protections in order?
- What actually happened, and who was involved? This may indicate where training is needed or if there might actually be an insider element to the attack, although this is rare.
- What allowed the attack to happen? Do processes and controls need to be revised to prevent such a loss again?