Business email compromise (BEC) scams continue to plague corporate treasury and finance. Although by now, virtually every company on the planet is aware of them, these fraudsters continue to find clever ways to dupe organizations out of money by exploiting well-meaning employees.
According to Ori Eisen, founder and CEO of Trusona, banks and corporates alike are looking for some type of solution that would stop BEC scams in their tracks. The problem is, right now at least, the only way to do that is to train your employees to recognize the telltale signs and establish a protocol in which payment requests are carefully verified before any money is wired out.
One of the only things companies have been able to do is give every employee a certificate to put into their mail client, so they can sign each email. “You can know with 100 percent surety that this email is coming from your employees,” Eisen said. “But CFOs get emails all day long from vendors all over the world. How do you know it is really them? That’s a fundamental question that will plague us until we solve it.”
Trusona has been working with security consultant and reformed check forger Frank Abagnale on a tool that attempts to do just that. If CFOs and treasurers use this tool, they will know whether that email request for payment actually came from a legitimate source, Eisen said. “So you can agree that when I tell you to move $10 million, this tool will verify that it really came from me,” he said.
Still in development, when a sender and a receiver both use the Trusona solution, it verifies that the email is coming from the sender that it’s supposed to be. After a sender sends an email, Trusona sends a push notification to the mobile phone of the sender directly and asks if he or she sent an email with that specific subject line to the recipient. If the sender responds, “Yes,” only then will the email actually be delivered to the recipient with a confirmation, via mobile push notification, that the email is legitimate. If the sender were to respond, “No” or not respond at all, the email will never arrive.
“Just like a second factor of authentication, this is like a second factor of validation that indeed this email came from this person,” Eisen said.
Additionally, Trusona compares the domain name of the web address of the sender to the legitimate domain name. Many BEC scammers send emails from domain names that look very similar to legitimate ones with one or two characters changed in order to fool recipients. “We compare it so you know if this email came from your company or not,” Eisen said.
New types of scams
Eisen also provided some examples of new versions of scams similar to traditional BEC. One of which involves a criminal posing as an HR executive for a company. They contact the payroll provider that the company uses and request W2 information. “They’ve sent the entire file with every employee’s address, date of birth, etc. It’s like a gift served on a platter,” Eisen said.
Some of these social engineering scams don’t even involve email. “Let’s say you want to get the password to the CFO’s account,” Eisen said. “So you would call the mainline of the corporation and asked to be transferred to the CFO’s office. Once you’re there, you say that you were routed there by mistake and ask to be transferred to IT. The transfer to IT appears as if it came from the CFO’s office. So you tell IT that you’re calling from the CFO’s office and you say that he forgot his password and he needs it. It infiltrates the company to create the illusion that you’re calling from their office.”
Added Eisen: “I’ve been doing this for many, many years, and every month, there’s something new. It’s virtually impossible for organizations to keep on top of cybercrime on their own.”