BEC Scams Have A New M.O; Proactive Employee Training Is One Of Your Best Defenses

There’s nothing new about Nigerian prince scam emails – they usually follow the same pattern of someone needing help moving millions of dollars from an African country and the promise of a sizable cut of the money to the unfortunate victim.

If you read through those emails, it is often too easy to make fun of the victims – the grammatical blunders, unverifiable stories, and hasty request for personal information or money are more than enough red flags. Yet, thousands of people fall victim to these scams every year, some experts estimate that these scams still rake in more than $700,000 every year. And yes, when we read about these scams in the news, we often don’t have reservations about blaming the victims for being greedy, stupid, or both.

However, while you sit in the comfort of your corner office, criminals are developing ingenious ways to trick businesses and their employees out of millions of dollars through carefully orchestrated Business Email Compromise (BEC) or Email Account Compromise (EAC) scams. You may be immune to Nigerian prince scams, but the success of BEC scams in the last six years suggests that they pose significant risk to your business.

Interestingly, while Nigerian prince scams tend to target gullible individuals, BEC scams often target the world’s largest corporations. Last year, a European subsidiary of Toyota Motor Corporation TM, Toyota Boshoku Corporation became a victim of a BEC scam. In the BEC scam in question, the criminals succeeded in tricking a Toyota worker to wire a massive $37 million to a foreign account.

Last quarter, the FBI made a public service announcement in which it revealed that the domestic and international exposed dollar loss from BEC scams was a massive $26.2 trillion between October 2013 and July 2019. The more frightening part of the statistics is that it was only collated from victim complaints within that period and it doesn’t account for unreported or yet to be detected scams.

Payroll Fraud is of the most potent use cases in which criminals use BEC scams with ruthless efficacy. To perpetrate payroll fraud, criminals target the company or its employees in the HR, finance, operations, or tax departments. These BEC scams are often “intelligently-designed” to trick companies or their employees in charge of fund transfers to make payments into the wrong accounts. In other instances, the scam might be designed to access private information such as Wage and Tax Statement (W-2) forms.

Unfortunately, the fact that you have antivirus protection, firewalls, and other standard cybersecurity tools won’t necessarily guarantee protection if your organization becomes the target of BEC scams.

See the image above, unless you take an extra minute to look at the email address in the From field, the email looks like a legitimate email that an employee will send to the accounts department. If your employees are overworked or disinterested in their jobs, it is very easy to hit the “reply” button to continue the correspondence with whoever is behind the scam email.

One of the defences that businesses can mount against BEC scams is to proactively invest in employee training and development. Business will do well to invest in training their employees on how to spot BEC scam emails and other best cybersecurity practices in an increasingly digital world.

Secondly, businesses should be intentional about conducting regular stress testing and audits of their systems and processes to spot cybercrime vulnerabilities in good time. For instance, if you don't have 2-factor authentication to verify changes in account details, you could incur steep financial and reputational losses. The FBI suggests that the average dollar loss reported per BEC complaint was $7,904 – you can do the maths if cyber criminals perpetrate hundreds or thousands of a similar scam on your business.

For example, in 2016 news broke when a Wall Street investment fund, Tillage Commodities Fund took a Wall Street tech company SS&C Technologies Holdings SSNC to court after the latter lost $6M of the former’s money in a BEC scam. The details of the lawsuit held that a SS&C employee failed to follow established procedure which caused him to unwittingly wire funds to a scammers account.

Once the news of the vulnerability broke, SS&C suffered a reputational attack that caused its share price to tank for much of the quarter. At the end of Q4 2016, shares of the company had 14% whereas the industry gained almost 3% in the same period.

Thirdly, businesses should not shy away from segregating financial duties even though it could potentially cause them to hire more staff and incur additional payroll expenses. No one individual should have full control over your payroll or accounts. Centralizing financial control is highly risky both from the cybersecurity and logistics standpoints.

According to the FBI, perpetrators of BEC scams sometimes send the same email to multiple employees in a dragnet style that guarantees that at least one employee will be careless enough to take the bait. The FBI encourages businesses to educate all their employees about BEC scams – irrespective of whether they work in the accounts department or not.

Sometimes, BEC scams are not intended to steal money through payroll fraud – these scams are sometimes cloaked in phishing scams designed to gain login credentials which can then be used to access a company’s database. Unfortunately, the scams designed to facilitate unauthorized access to data might be harder to spot, they may go undetected for long periods, and they might have far reaching implications for the business, its employees, partners, and other stakeholders.

Criminals are increasingly becoming more creative in their modus operandi – you can’t afford to be too overconfident in your ability to spot and avoid scams.

Image by StartupStockPhotos from Pixabay

Visit Benzinga's Crypto Homepage - 1,000,000+ depend on Benzinga Crypto every month

Posted In: BECcyberattacksCybersecurityfraudmarketacrossCryptocurrencyNewsCommoditiesLegalGlobalMarketsTechGeneral