BEC Scams Are On The Rise. Take These Steps To Protect Your NJ Company
BEC scams account for over $1.3 billion in business losses. Staying safe from business email compromises starts with understanding how they really work.
The BEC scam is yet another thread in the ongoing web of cybercrime. Masquerading as a professional email from CEOs, CFOs, and other executives, the scam uses deception to swindle companies out of thousands—if not millions—of dollars.
Business Email Compromise scams are not new to the scene, but they are growing in quantity and effectiveness. The FBI reported that BEC complaints doubled between 2017 and 2018, and nearly $1.3 billion in losses has been reported. One county in North Carolina lost a massive $1.7 million in a single BEC scam, while the city of Ocala in Florida managed to catch onto the scam after sending several hundred thousand in wire transfers to a fraudulent account.
How do BEC Scams Work?
Like many forms of cybercrime, the Business Email Compromise scam uses a combination of phishing emails and social engineering. Cybercriminals who use BEC have usually done their research. They are aware of projects taking place within that company, vendor names and contact information, as well as who to contact in the company to get the most likely response.
The scam emails will often be directed at the person responsible for paying invoices. The professional-looking correspondence can take on a variety of forms:
- A spoof email that makes the victim think he or she is corresponding with the CEO of their company. They then are requested to share pertinent financial information or access to accounts.
- Spear-phishing, or a spoof email thought to be from a trusted vendor asking to rearrange wire details for upcoming invoice payments.
- Malware that gives the criminal undetected access to the victim's data, including bank account information.
How Do You Avoid Getting Scammed?
Much like other cybersecurity issues, staying ahead of BEC scammers requires a combination of security structure and human education. The FBI provides detailed information on how to avoid getting caught in this type of cybercrime.
- Set up an intrusion detection system to flag any spoof emails. These systems can also flag when the "reply to" email is different than the "from" email.
- Work with staff to learn how to detect various red flags that appear in BEC scams. These include poor grammar or misspelled words, strange requests—particularly for financial information, and email addresses that seem slightly off. In the case of the city of Ocala, the email supposedly came from a vendor, providing updated banking information for a project they were working on for the city. The criminal used the name of a former employee and a domain that was one letter off from the domain of the actual vendor. That one letter—or dot, dash, ampersand—can be a significant clue that you are dealing with a BEC scam.
- Confirm requests for money by establishing a verification process. The most secure way to verify that a request is valid is to call the sender. You can quickly determine if a scam exists with a quick call or conversation with your vendor, CEO, or executive.
Staying Alert to Cybercrime
So many of today's cybercriminals are using similar tactics of social engineering and deception. The best way to protect yourself and your company from becoming a victim is to be aware of the latest BEC trends and practices. Close monitoring of emails, requests, and pesky grammar could just be the thing that keeps you from being the next victim of a BEC scam.
Have concerns? Contact your IT services team in NJ at Two River Technology Group for assistance.