In a recent post, we noted that 87 percent of IT decision-makers and C-level executives surveyed recently reported seeing email impersonation attacks that asked the recipient to wire money. These kinds of attacks, known as “business email compromise” (BEC), are a huge and growing problem. The FBI estimates that fraud involving BEC has cost companies more than $5 billion since 2013.
Also known as man-in-the-email attacks, BEC typically “spoofs” the email of a company executive and sends a request for a wire transfer to someone in finance or accounting. The attackers will conduct research into the company’s organizational hierarchy and identify employees who manage money and regularly initiate wire transfers. Victims think they’re getting an email from the CEO or CFO and their natural instinct is to do as they are asked.
In other cases, the attackers will find out the names of legitimate vendors and business partners that the company wires money to regularly. The attackers will pose as the supplier and send an invoice, requesting that payment be transferred to an account controlled by the fraudsters. Companies that do business overseas are often targeted.
The Securities and Exchange Commission (SEC) recently issued an investigative report on nine public companies that fell victim to BEC. Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. Most of the money was unrecoverable.
The SEC investigated the cases because each of the companies had securities listed on a national stock exchange. Public companies are subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934, which have been found to extend to cybersecurity. The SEC report states that public entities “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” In other words, public companies are obligated to implement and maintain controls that minimize the risk of BEC and other cyber threats.
Arguably, private entities must protect against these risks as well. Federal and state laws often state that organizations must act “reasonably” with regard to cybersecurity, and the European Union has issued regulations requiring organizations to implement “appropriate” or “necessary” measures.
What can your organization due to avoid falling victim to BEC? The key is to educate employees and executives about the risk and how to identify a BEC attack. Often, the fraudulent emails come from a domain that’s slightly different from the company’s real domain or have a reply-to address that does not match the sender’s address. BEC attacks rarely have the bad grammar and spelling associated with phishing emails, but they may use European date formats or sentence construction that suggests a non-English speaker.
Even if the email is flawlessly constructed, employees should be suspicious of urgent requests from executives to wire money and to keep the request confidential. They should also question vendor requests for payment that don’t go through normal channels.
Most importantly, organizations should establish policies and procedures for verifying wire transfers. Employees should always be suspicious of email requests and use a different channel — phone, fax or in person — for confirmation. The account number for the wire transfer should be checked carefully.
ICG offers protection against BEC through the Mimecast email security platform. This solution protects against display name spoofing and domain similarity attacks, and alerts users by visibly marking suspicious emails. It is capable of detecting unknown and newly observed attacks through Mimecast’s threat intelligence infrastructure. Contact ICG to learn more.