Business e-mail compromise scam is costing companies billions—and it’s easier than you think
Companies are losing billions of dollars worldwide from a simple scam, and the FBI predicts the losses will increase. The only thing more alarming than the amount of money business are losing, is how easy the scam is to pull off.
According to a warning published on the FBI’s website, Business Email Compromise (B.E.C) scams have cost 17,642 victims more than $2.3 billion from October 2013 to February 2016, and that number is only going up.
The simplicity of B.E.C scams is why experts believe it’s wreaking havoc on companies in 108 countries. Scammers start by phishing a CEO and getting access to their email. Posing as the CEO, they then send a message requesting an urgent wire transfer to a “new” account from the company’s financial officer or accountant. Thinking that the request is coming from “the boss”, the employee immediately wires the money to the account, and the scammers cash in before anyone knows what happened. Crooks have been so successful using this scam, the FBI has seen a 270% increase since January 2015. Each successful costs companies an average of $120,000 in losses, with some losing as much as $90 million
Because the fraudulent emails aren’t sent in mass, and the spoofed addresses don’t set off red flags to standard spam blocking software, B.E.C. scams are easier to pull off than most others. By assuming employees won’t question a CEO’s reason for transferring a large sums of cash into a strange account, the crooks dodge bank security measures all together by getting the employee to do the dirty work of actually making the deposit.
Though it’s obvious how a huge monetary loss can be detrimental, the hit to a company’s reputation can be even worse for their bottom line. Being a victim of B.E.C. (or any) scam can irreparably damage the trust of investors and clients. A loss of $90 million because of a single email doesn’t look good on a quarterly finance report, and could make current and potential clients think twice about working with the company.
To add insult to injury, cyber insurers aren’t covering the losses from B.E.C. scams. Security expert Brian Krebs reported on his blog that a Texas manufacturing firm took their insurer to court after they refused to cover a $480,000 loss from a B.E.C. scam. The insurer noted that since the employee made the transfer, there was no actual “forgery of a financial instrument”, even though the pretense for the transfer was fraudulent. The best bet for any business is to take extra precautions to ensure these kind messages never make it into an employee’s inbox.
You can decrease the likelihood of becoming a victim of B.E.C. scams by adding Anti-Spoofing technology to existing security measures to protect against phishing. Also, make sure to register domains that are slightly different than the company’s official domain, so scammers can’t create a similar email address. Inform employees of the scam, and insist that they be wary of e-mail only wire-transfer requests. Finally, by creating multi-level authentication processes for any transfer of funds, you’ll be able to catch any attacks before the funds have been sent.