Find more insights on business email compromise (BEC) scams in AFP's latest Treasury in Practice Guide. DOWNLOAD
While companies aggressively guard the perimeter to minimize the risk of a large-scale cyberattack, employees can unwittingly open the front door to sophisticated cybercriminals that carry out their crimes utilizing social engineering tactics. These tactics include email schemes that do not rely on sophisticated technology, in addition to more sophisticated malware attacks that can pose a significant risk to a company’s business. Recent industry and law enforcement data confirm thousands of business email compromise (BEC) and malware cases each month, with the average loss incurred in the hundreds of thousands of dollars. Understanding how these fraud schemes are designed to infiltrate/compromise your business and taking action to prevent them are critical to your defensive strategy.
Know the enemy
Elevated numbers of payments fraud attempts have been reported in recent years as a result of malware or BEC scams. The individuals perpetrating these crimes are often well-funded members of organized crime, not the white hat geniuses or innocent thrill-seeking hackers portrayed in the movies. Their mission: to trick one employee into giving up their corporate online banking credentials in order to access a financial website for the purpose of fraudulently moving funds or to trick an individual to move funds to a fraudulent account.
In some instances, an employee unknowingly downloads financial malware by opening an attachment or clicking on a link in an email that is designed to entice the recipient to read the message. Once downloaded, the next time the employee attempts to access the bank’s online banking portal, the malware redirects the employee to a fake webpage that looks identical to the real website. Unfortunately, when the employee uses his/her true banking credentials to log on, those credentials are revealed to the criminals.
In yet another malicious scheme, the criminals send fraudulent payment initiation requests or requests to update payment instructions from a compromised email account or a forged (“spoofed”) email account. These emails typically appear to be from a company executive or from a known external partner, such as a supplier, and often contain convincing details about the company’s business, obtained from the compromised email account, and/or social media sites. When the fake payment instructions are executed, the fraud is successful.
Learn the warning signs
At the top of the list of defensive actions against email compromise is training employees to recognize the warning signs of these all too common attacks. Below are several signs of a fraudulent email scheme:
- Email that claims to be from an executive at your company requesting staff to initiate an urgent, time-sensitive, and/or “confidential” payment
- Email that appears to be from a peer or executive requesting that established payment initiation or approval procedures be bypassed
- Email from a supplier or other external partner requesting a change to established payment routing instructions for an upcoming payment
- A threatening message associated with the email request. For example, the sender may say that failure to respond or comply could be grounds for termination.
Recognizable warning signs that malware is installed on a device include:
- Unusual delays during a typical login experience
- The online workflow is different than normally experienced
- A “System Unavailable” message presented after login
- The end user is asked to have an additional operator login from the device.
In order to avoid these increasingly sophisticated fraud attempts, companies must establish detailed policies and procedures and implement rigorous controls for payment initiation, supplier management processes, and invoice processing. They should institute a “zero-tolerance” policy for requests to bypass established procedures to initiate payments or change payment instructions. Employees should also be required to confirm verbally, with a trusted contact at a known telephone number, any email requests to initiate payments or change established payment instructions.
- Verify the authenticity of any unexpected communication before opening attachments or clicking on links in emails. Call or email the sender at a known telephone number or email address to confirm that the suspicious content was indeed sent to your attention.
- Use a dedicated a computer for payment initiation or online banking access. The computer should not have email access and should allow only restricted website access.
- Install malware detection and prevention software.
Reinforce your foot soldiers in the battle—keep your employees up-to-date on evolving fraud schemes and provide training on how to recognize potentially malicious activity. Improved technology emboldens the criminals to innovate other forms of attack. Talk with your corporate bankers on a regular basis about the latest known fraud schemes and the tools available to protect your business against these threats. And most importantly, contact your bankers immediately regarding any suspicious behavior during your online banking session or and potentially unauthorized transactions.
Howard Forman is senior vice president and PINACLE product group manager at PNC Bank, N.A.
The views expressed by Forman are his own, and this article was prepared for general informational purposes only and does not purport to be comprehensive. The information and views in this publication do not constitute legal, tax, financial or accounting advice or recommendations to engage in any transaction. The views expressed in this update are subject to change due to market conditions and other factors.