How to Recognize and Thwart Business Email Compromise Scams

NEWS ANALYSIS: The effectiveness of the recent round of business email compromise attacks depends on poor email security and poor invoicing practices.

BEC Email Scam

The reports that Nigerian criminals have managed to bilk businesses out of billions of dollars through sophisticated business email compromise schemes is alarming. 

What’s more alarming is that the hackers managed to break into the email accounts of accounts payable staff and modify the settings on their email accounts to hide their activities and to receive copies of all of their email is even more so. 

However, for the scheme to work the Nigerians had to find a series of conditions in place before they could start collecting on their fraudulent invoices. The first condition is an insecure installation of Microsoft Office 365. The second is an insecure invoicing system. Change either of those, and the problem isn’t so bad. Change both, and this problem is gone. 

The first step is making the email system more secure. Microsoft allows your business to set up multi-factor authentication (MFA) through its Admin Center.  This will involve using Azure multi-factor authentication, which is included free with your Office 365 for Business subscription. 

You will have to be a global administrator on Office 365 before you can take the necessary steps to change the user settings first to enable multi-factor authentication and then to enforce it. Once MFA is implemented, your staff will be required to authenticate changes through a second means, which usually means sending a verification code to their phones. 

Once MFA is set up and enforced, your users will need to authenticate any changes. Next, you’ll have to verify that their email accounts haven’t already been tampered with to automatically forward their email to an unauthorized party. If you find that this has been done, it’s time to alert your security department and probably law enforcement. 

You’ll also need to check your email accounts carefully for users that shouldn’t be there, since those Nigerian hackers may have created their own email accounts on your Office 365 account, which could allow them to bypass most security measures. 

While you’re at it, you should check your email user list to make sure departed employees have been removed. It’s not unusual for a disgruntled former employee to misuse an ex-employer’s email system. 

Once you’re sure that your Office 365, or whatever email application you’re using, is secure, you then need to move on to securing your invoice processing. The first thing you should consider is to stop accepting invoices by email. 

While the Nigerian criminals were using hacked email to find and target the accounts payable staff, this only made it easier for them to create credible emails and to send them in ways that were harder to detect. Without those factors it’s still possible to send a bogus invoice by email. If the invoice is done well enough, there’s still a good chance it’ll be paid. 

Instead, set up a secure invoice processing system that doesn’t use email. This means approving your vendors in advance, and then setting them up in an online invoicing system. Then, when the time comes to submit an invoice, they’ll have to log in using known credentials; use an already approved order number; and agree to be paid using an electronic payment method that’s already been set up. 

Normally those electronic payment methods are either an ACH (automated clearing house) or a wire transfer to their bank. This way, even if someone manages to find a way to get a phony invoice into the system, the money is going to someone with whom you have an established relationship. Note that some vendors would rather not be paid via wire transfer because banks often charge a fairly high fee for those. 

Unfortunately, sometimes you can’t refuse to accept invoices via email, or regular mail for that matter. This will open your accounts payable system to a greater chance of fraud, but you can still control it. 

First, require that each invoice include a vendor ID number that you issue. You can control how that number is created and issued, but it needs to be unique for each vendor and it needs to be trackable. That means that when you enter the invoice into your computer for payment, the vendor ID needs to match and so does the order number. Then you check to make sure the payment amount matches what it’s supposed to be. Only then can you approve the invoice for payment. 

As I mentioned earlier, the payment must be made directly to the vendor’s bank, which has already been set up in your accounts payable records. Of course in the U.S. you will have had to set it up in advance because your vendors would have had to provide an IRS W9 form, which will include their Employer ID number or their Social Security Number. You can ask for official verification of those numbers. 

While none of these steps is foolproof, they do give you’re a chance to verify that you’re paying for goods and services you actually contracted for rather than for a fraudulent invoice. While this may all seem complicated, you should realize that most of these steps only need to be done once and then verified occasionally. 

It’s also important to know that none of these steps is especially difficult and they’re not costly. But they do require that your staff stay alert when they’re paying invoices and that you don’t allow anyone to bypass the system.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...